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Abstract 


In concurrent process theory, processes are often modeled by state machines and Petri Nets. 
Algebraic process theories based on state machines, exemplified by Milner’s CCS and Hoare’s 
CSP, have been more fully developed than Net-based theories, but are inadequate for modeling 
“true” concurrency concepts such as non-atomic actions, action refinement, locality of actions, 
and multithreadedness. We introduce an action refinement operator and present some “fully 
abstract” semantics for “true” concurrency. We show that these semantics are decidable for 
finite-state concurrent processes and characterize their computational complexity. 
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Chapter 1 


Introduction 


In concurrent process theory, processes are often represented by state machines and Petri Nets. 
State machines, by definition, have no explicit representation of concurrency, and they iden- 
tify concurrent actions with sequential, interleaved actions. Process theories based on state 
machines, exemplified by Milner’s CCS [30] and Hoare’s CSP [21], typically have associated 
combinators for composing large processes from smaller components, compositional techniques 
for reasoning about processes through reasoning about their components, sound and complete 
techniques for reasoning about process equivalence, and algorithms for deciding equivalence of 
finite-state processes. These elegant properties have led to automatic verification techniques 
and tools such as model checkers. 

However, as is well-known, the state machine approach is inherently inadequate for describ- 
ing action refinement, the operation of refining atomic actions in a concurrent process, which 
suggests aspects of top-down “modular” development [1, 2, 3, 10, 16, 20, 32, 39, 40, 41, 47] 
and “changes of granularity” [28, 31]. This limitation is a direct result of the identification of 
concurrent actions with sequential, interleaved actions. For example, the state-machine repre- 
sentation of the concurrent process a || 6, which can concurrently perform an a and 6 action, 
is identical to the state-machine representation of the purely sequential process ab + ba, which 
can sequentially perform an a and 6 action in either order. This state-machine is pictured in 
Figure 1-1. 


Figure 1-1: State-Machine Representation of a || 6 and ab + ba 
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Splitca a, ,a_)(ab + ba) splitiaa,,a_)(@ || 5) 
Figure 1-2: After Action Refinement 


Now, if the @ action in both processes is “refined” or “split” into two actions, a, followed 


by a_, the resulting processes, split, 4, 4_)(@ || b) def aza_ || 6 and splitia a, ¢_)(ab + ba) def 


a,a_b+ba,a_ have completely different state-machine representations, pictured in Figure 1-2. 
Thus, the state machine model is inherently inadequate for describing even the simplest forms 
of action refinement on concurrent processes. In particular, the state machines of Figure 1-2 are 
distinguished by all the state-machine based process equivalences in the literature, including 
bisimulation equivalence (CCS) [30], partial-trace equivalence, failures equivalence (CSP) [8, 9], 
and Hennessy’s Testing-equivalence [19], an elegant experimental justification for partial-traces 
and failures. 


We remark that the operation of refining transitions in a state-machine does model action 
refinement of purely sequential processes. Moreover, trace equivalence, failures equivalence, 
Testing-equivalence, and intuitively simple variations of bisimulation, notably delay bisimula- 
tion and branching bisimulation [12, 13, 43] are sound techniques for reasoning about action 
refinement on purely sequential processes. However, since all of these equivalences identify 
concurrent actions with interleaved actions, none of them are sound for reasoning about action 
refinement on concurrent processes. 


Petri Net theory, on the other hand does distinguish “true” concurrency from interleaving 
by axiomatizing a “causal” partial order on process actions, and is adequate for describing 
action refinement of concurrent processes. However, Petri Net theory typically does not offer 
an explanation of how an external observer can detect causality. Hence, in contrast to the state- 
machine theories, Petri Net theory does not provide complete techniques for reasoning about 
process equivalence, and compositional reasoning techniques and associated decision procedures 
are also much less developed. 

An important problem is to merge these viewpoints by developing an operational net model 
for process theories such as CCS and CSP that has a sound and complete justification for dis- 
tinguishing processes. This requires a precise characterization of which nets are distinguishable 
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by any external observer — who sees only sequential behavior — performing action refinement 
and the CCS/CSP-style operations. To this end, it is useful to develop a “fully abstract” 
denotational semantics that precisely captures these distinctions. In contrast to purely oper- 
ational characterizations, which are implicitly quantified over an infinite number of contexts, 
fully abstract semantics have the advantage that they often lead to a semantic foundation for 
recursively-defined processes, logical foundations for proving equivalence of (possibly infinite- 
state) processes, and decision procedures for equivalence of finite-state processes. 


Definition 1.0.1 A semantics, [-], assigning to any process, P, a meaning, [P], is composi- 
tional for an operator on processes if semantic equality is a congruence for the operator, t.e., the 
operator preserves semantic equality. We say that a semantics is adequate for an equivalence 
on processes if semantic equality implies process equivalence. Finally, we say that a semantics 
is fully abstract for a process equivalence with respect to a set of operators if semantic equality 
is the coarsest congruence for those operators that is adequate for the equivalence. 


1.1 True Concurrency Semantics and Action Refinement on 
Petri Nets 


A starting point for such an investigation is to apply state-machine-based equivalences to Petri 
Nets. It is well-known [10] that these equivalences, including partial traces, failures, bisim- 
ulation, and Testing-equivalence, are not compositional for even very simple forms of action 
refinement on Petri Nets, including those whose only effect is to “split” actions into two parts. 

In a seminal paper [47], Vogler has developed a semantics for labeled, 1-safe Petri Nets 
that is compositional for certain simple “split” and “choice” refinements, and indeed is fully 
abstract for failures semantics [9] and Hennessy’s MUST-experiments [19]. Furthermore, his 
semantics supports a full process theory involving CSP-style parallel process composition-with- 
communication, hiding, deadlock, and divergences (cf. [9, 19, 21, 30]). Vogler’s semantics is 
based on “pomset-traces,” which are a generalization of ordinary traces, 7.e., sequences of 
visible actions, to multi-sets of actions partially ordered to reflect causality and concurrency. 
In particular, his semantics consists of “interval pomset-failures”: namely, pomset-traces with 
a certain “interval” order, paired with “failure sets” [8, 9, 21]. 

Vogler’s elegant insight is that pomset-failures are not compositional for split refinements, 
since these refinements reveal “failure sets” of nets when transitions have “half-fired”: that is, 
when all tokens have been removed from the preset of the transition but no tokens have been 
added to the postset. Vogler’s technical solution is to specify some maximal events of pomset- 
traces to be “half-fired” and to keep track of the corresponding failure sets. The fully abstract 
semantics for non-divergent nets is obtained by performing certain closure operations and then 
restricting to interval orders. This is extended to a fully abstract semantics for divergent nets 
by additionally keeping track of “divergent” pomset-traces (with half-fired events), performing 
certain closure operations, and then again restricting to interval orders. 

Although Vogler’s insight about half-fired transitions is quite elegant, the “half-fired events” 
in his pomset-failures make the definition of his semantics and his proofs of compositionality 
quite difficult to understand. Furthermore, as Vogler points out, his “general pomset” semantics 
for divergent nets, i.e., the intermediate semantics obtained before restricting to interval orders, 
is not compositional for split and choice refinements, and he states and leaves open [47, 49] the 
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problem of identifying such a semantics that is compositional. As a consequence, his closure 
operations become rather technically complicated. 


Vogler generalizes his simple split and choice refinements to allow a fairly large class of 
“refinement nets” required to satisfy some structural and behavioral conditions, which are 
rather technical and quite restrictive. His semantics is compositional with respect to each of 
the operators corresponding to his refinement nets. Namely, if two nets are equivalent under his 
semantics, then applying the same action refinement p to them yields semantically equivalent 
nets. 


However, it is not the case that his semantics is compositional for nets as action refinement 
operators. For example, the nets a and 7.a, where 7 is the hidden action, are semantically 
equivalent as operands or targets of action refinement, but they behave differently when used 
as operators refining an action b, viz., 


[a] =Vogler [ra], 


but [(b+ ¢)[b:=a]] Avogier [(b+ ¢)[b:=7.a]]. 


In this thesis, we simplify and extend Vogler’s results in a number of ways. We first present 
a general class of Well Terminating (WT) Nets, which are possibly infinite, safe nets with 
designated transitions for signaling successful termination. We then present WT Net opera- 
tors corresponding to the familiar CCS/CSP operations of prefixing (a.), restriction (\a), hid- 
ing (—a), renaming ([f]), CSP-style sequencing (;), non-communicating parallel composition 
(||), CSP-style parallel-composition-with-synchronization (||, ), CCS-style parallel-composition- 
with-hiding (|), internal choice, and CCS-style choice (+47). All of our net operations are closely 
related to the corresponding CCS/CSP operators on labeled transition systems (Its’s). 


The first main result of this thesis is that rather than keeping track of the technically 
cumbersome half-fired events, it is sufficient to first simply “duplicate-and-split” all the visible 
transitions in a net and then take the ordinary pomset-failures of the “duplicate-split” net. For 
divergent nets, one must also keep track of “pomset-divergences”: namely, pomsets together 
with an explicit representation of the possibly concurrent divergences that are enabled. Per- 
forming some natural closure operations then yields a “general pomset” semantics, [-]My.5, that 
is compositional for split refinements, choice refinements, and all of the CCS/CSP operators 
on WT Nets, and whose restriction, [-],.,, to interval pomsets is fully abstract for MUST- 
equivalence. We describe a similar fully abstract semantics, [-JMA’, for MAyY-equivalence [19] 
based on “pomset-traces”; the MAY- and MUST-semantics together provide a fully abstract 


semantics for Testing Equivalence [19]. 


Our semantics greatly simplify Vogler’s representation by avoiding “half-fired” events; fur- 
thermore, keeping track of concurrent divergences simplifies the closure operations and yields 
compositionality of the [-JNi., semantics. This generalizes Vogler’s results and solves the open 
problem mentioned earlier. 


This thesis then presents a class of Refinable Well- Terminating (RWT) Nets, which form a 
large subclass of WT Nets that is closed under almost all of the WT operations, together with 
a definition of action refinement that allows any RWT net to be used as a target or operator 
of action refinement. The second main result of this thesis is that in contrast to Vogler’s 
semantics, all of our semantics are compositional for RWT Nets as targets and operators of 


action refinement, with the [-]i{i and [-]3ni, semantics remaining fully abstract for MAy- and 
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MUST-equivalence. 


1.2 The Semantic Domains and Recursion 


In order to ensure that our semantic theories support recursively-defined concurrent processes, 
we present an abstract characterization of all our semantics. Our semantic domains form 
algebraic complete partial orders in which all compact elements are definable as the meanings 
of WT Nets, and all of our operators are continuous functions. 


1.3 Deciding True Concurrency Equivalences 


The decision problem for finite-state concurrent processes under a variety of interleaving se- 
mantics has been widely studied in the literature, and the computation complexity has been 
tightly characterized [4, 26, 29, 34, 36]. In contrast, there have been essentially no results on the 
complexity of the decision problems for true concurrency equivalences on finite-state concurrent 
processes, and little is even known about the decidability of these equivalences. For example, 
decidability of such a basic true concurrency property as pomset-trace equivalence appears not 
to have been known. 

One of the main results of this thesis is that pomset-trace equivalence is decidable for finite 
l-safe Petri Nets, and is, in fact, complete for EXPSPACE. Furthermore, we show that the 
decision problem for history-preserving bisimulation [5, 35, 39, 44, 46] on finite 1-safe Petri 
nets is complete for DEXPTIME. History-preserving bisimulation had earlier been shown by 
Vogler [46] to be decidable; however, he left open its complexity. 

In contrast to interleaving equivalences, the decidability of pomset-trace equivalence for 
finite nets does not obviously reduce to equivalence of finite automata. The difficulty is that 
the causal ordering in a pomset-trace depends e@ priori on the entire pomset-trace, which may be 
unboundedly large. Inspired by Vogler’s decision procedure for history-preserving bisimulation, 
we show that there is in fact a bound on the required information. This idea leads to our 
decision procedure for pomset-trace equivalence, and a simple analysis of this procedure yields 
an EXPSPACE upper bound. The same approach also gives a DEXPTIME decision procedure 
for history-preserving bisimulation. Our lower bounds for these true concurrency equivalences 
follow easily by reductions from the corresponding interleaving equivalences [29, 34, 36]. 

Our methods also yield tight complexity bounds for about a dozen other true concurrency 
equivalences, several of which resolve open problems in the literature. 


1.4 Outline of the Thesis 


Chapter 2 presents our class of Well-Terminating Nets together with split refinements, choice 
refinements, and our CCS/CSP operators. A brief introduction to Hennessy’s experiments, 
Testing-equivalence, partial trace semantics and failures semantics is given in Chapter 3. We 
then develop our true concurrency semantics for Well-Terminating Nets, prove that they are 
compositional for all our Net operators and adequate for MAY- and MUST-equivalence, and show 
that their “interval” restrictions are fully abstract. The corresponding semantic domains are 
developed in Chapter 4. 
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Chapter 5 presents our action refinement operator, and shows that our semantics are com- 
positional and our semantic domains are closed under this operator. Our decidability results for 
true concurrency equivalences appear in Chapter 6. This chapter is self-contained, and hence 
repeats some earlier definitions. Chapter 7 concludes with a discussion of some further results, 


open problems, and future work. 


Chapter 2 


Well-Terminating Nets and 
Operations 


2.1 Well-Terminating Nets 


Throughout this thesis, we use the standard definitions (cf. [46]) of Petri Nets and their oper- 
ational behavior. In order to keep this thesis relatively self-contained, we repeat them here: 


Definition 2.1.1 A labeled Petri Net, N, is a triple (Sy,7n, Starty), where Sy is the set 
of places, Ty is the set of transitions, and Starty is the set of initially marked places (which 
contain “tokens” ). Every transition, ¢, in Ty has a label, [y(t), a preset, prey (t), and a post-set, 
post, (t). We refer to the label 7 as the “hidden action”, and refer to all labels other than 7 
as “visible actions”. A transition is visible (hidden) iff its label is visible (hidden). For every 
place s € Sy, we write prey(s) and posty(s) to refer to its preset and post-set. We assume for 
expository simplicity that all transitions have non-empty presets, and that the initial marking 
is non-empty. 

Transitions are represented graphically as horizontal bars, places are represented as circles, 
and tokens are represented as dots in these circles. The preset of a transition is the set of places 
from which there is an arrow to the transition; the post-set of a transition is the set of places 
to which there is an arrow from the transition. Dually, the preset (post-set) of a place is the 
set of transitions from (to) which there is an arrow to (from) the place. 

A marking of a net is an assignment of a non-negative number of “tokens” to each place in 
the net. A transition, t, is enabled under a marking iff every place in the preset of ¢ contains at 
least one token. If a transition ¢ is enabled in a marking, then ¢ can fire by removing a token 
from each place in its preset and placing a token into each place in its post-set. 

A firing sequence of a net, N, is a possibly empty sequence, t,...¢,, of transitions of N 
such that ¢, is enabled under the initial marking of N, and each ¢; is successively enabled in 
the marking resulting from firing t,...t;_,. A run is a finite firing sequence. The reachable 
markings of a net are exactly those markings that result from firing some run. A net is 1-safe 
iff every place contains at most one token under any reachable marking. Rather than being 
represented as a function from places to non-negative integers, a marking of a 1l-safe net can be 
written as the set of places that contain a token. 
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A pair of transitions, ¢ and t’, can fire concurrently in a 1-safe net iff the union of the preset 
and post-set of ¢ is disjoint from that of ¢’ and there is a reachable marking in which both t 
and ?t’ are enabled. 


Our class of “Well-Terminating” Nets is related to the class of CSP processes that signal 
successful termination by performing a distinguished action, \/. In a similar manner, our well- 
terminating nets signal successful termination by firing any transition labeled with ,/. In order 
to ensure that the net has actually terminated, we require that all places in the net be unmarked 
after any ,/-labeled transition fires. We wish to restrict our attention to labeled, 1-safe nets 
with “computable behavior,” and we thus impose some syntactic and behavioral restrictions 
that guarantee finite-markings and finite-branching of the underlying transition system. 


Definition 2.1.2 The class of Well-Terminating (WT) Nets consists of pairs (N, Act) such 
that Act is a finite set of visible labels containing \/ and N is a l-safe, possibly infinite Petri 
net, all of whose transitions are labeled with actions in ActU{r}. Furthermore, N must satisfy 
the following properties: 


e The initial marking is finite. 
e The preset and post-set of every transition is finite. 
e Only a finite number of transitions are enabled under any reachable marking. 


e All places are unmarked immediately after any \/-labeled transition fires. This condition 
must be satisfied in every reachable marking. 


We note that these conditions together imply that all reachable markings are finite and that 
nets have only finite concurrency. The condition on the \/-transitions ensures that no transition 
(not even a \/-transition) can be fired concurrently with, or following, a \/-transition. 

Our \/-labeled transitions serve to distinguish deadlock from successful termination. We say 
that a net successfully terminates when a ,/-labeled transition fires, while a net is deadlocked 
exactly when no transition is enabled. The ,/-action plays a distinguished role in our theory, 
and our net operators are defined in a way that respects this distinguished role. 

WT Nets form natural isomorphism classes: 


Definition 2.1.3 Let (Nj, Act) and (No, Act) be WT Nets over a common alphabet, Act. 
Then (N,, Act) and (Nz, Act) are isomorphic iff there is a bijection f from Sy, to Sy, and a 
bijection g from Ty, to Ty, such that Starty, = f(Starty,), and ly,(g(t)) = ly, (4), prey,(g(t)) = 
f(prey,(t)), and posty,(g(t)) = f(posty, (t)) for every t € Ty,. 


In order to view WT Nets as an operational model for CCS and CSP, we will find it useful 
to represent the behavior of nets as labeled transition systems. The following definition is 
standard and is essentially taken verbatim from [19]. 


Definition 2.1.4 A labeled transition system (Its) is a triple (5, Act, —, sinit), where 
e Sis a set of states containing Sinit- 


e Act is a set of labels. 
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e — isarelationin S x Act x5. 
@ Sinit is designated as the “initial state” in S. 


. a . . a . 
We write s —= s’ in place of (s,a,s’) €—+. The relations —— are extended to relations 
U . . 
——, for every v € Act*, in the obvious way: 
€ . . 
1. s —> 8 iff s’ is s 
au . a U 
2. s —> s' iff s —> s” for some s” such that s” —> s'. 
. U . . . 
This means s —> s’ if s can evolve to s’ by performing the sequence of actions v. We also 
. U . U . . 
write s —> to mean that there exists a s’ such that s ——= s’. We say that an action, a, is 
? ? 


enabled at a state, s, iff s +. 
If Act contains the label r, these relations are generalized as follows, for every v € Act”: 


a : 7 a ri -. 
1. s=> s' iff s 81 89 8’ for some states s,, 52 and some 7,7 > 0 


k 
2. s=> s8' iff s — s' for some k > 0 
3. s = s! iff s => 8” for some s” such that s” => s’. 


This means s => s’ if s can evolve to s’ by performing the sequence of actions v, possibly 
interspersed with t-actions. We also write s —> to mean that there exists a s’ such that 
s=>s', 


The following definition is essentially standard (cf. [33]): 


Definition 2.1.5 The labeled transition system of a WT Net (N, Act), written lts((N, Act)), 
is the labeled transition system over Act U {7} whose states are the reachable markings of NV 
and whose labeled transitions correspond to firings of single transitions of N. In particular, 
state M goes to state M’ via an a-labeled transition in its((N, Act)) iff marking M’ of N can 
be reached from marking M by firing exactly some a-labeled transition of N. The initial state 
of lts((N, Act)) is defined to be the initial marking of NV. 


We note that Definition 2.1.2 ensures that the labeled transition system of every WT Net 
is finitely-branching. 


2.2 Operations on Well-Terminating Nets 


This section defines WT Net operators corresponding to the familiar CCS/CSP operations 
of prefixing (a.), restriction (\a), hiding (—a), renaming ([f]), CSP-style sequencing (;), non- 
communicating parallel composition (||), CSP-style parallel-composition-with-synchronization 
(|), CCS-style parallel-composition-with-hiding (|), internal choice (@), and CCS5-style choice 
(+a). We also define spliti, a, q_) and choiceraa,,an) tefinement operators on WT Nets. 

We begin by defining operators that grow or shrink the alphabet of nets: 


Definition 2.2.1 Let (N, Act) be a WT Net, and let Act’ be a finite set of visible labels. Then 
(N, Act) grow Act' “ (N, Act U Act’). 
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@ oO 


—a ; 


} —— 


(N, Act) a.(N, Act) 
Figure 2-1: An Example of Prefixing 


Definition 2.2.2 Let (N, Act) be a WT Net, and let Act’ C Act be a finite set of visible labels 
containing \/. Then (N, Act) shrink Act’ = (P, Act’), where P is identical to N except that all 
(visible) transitions with labels from Act — Act’ are removed. In particular, 

Tp = {t € Ty: l(t) € Act’ U {r}}. 


The hiding and renaming operators simply relabel transitions: 


Definition 2.2.3 Let (N,Act) be a WT Net, and let a be a label in Act —{,/}. Then 
(N, Act)— a = (P, Act), where P is identical to N except that all a-labeled transitions are 
relabeled with Tr. 


Definition 2.2.4 Let (N, Act) be a WT Net, and let f be function from Act to Act such that 
for all 6 € Act, f(G) = J iff 8 = /. Then (N, Act)[f] = (P, Act), where P is identical to N 
except that Ip = foly. 


The restriction operator simply removes transitions: 


Definition 2.2.5 Let (N, Act) be a WT Net, and let a be a label in Act —{,/}. Then 
(N, Act)\a = (P, Act), where P is identical to N except that all a-labeled transitions are 
removed. In particular, Tp = {t € Ty: ly(t) 4 a}. 


The prefixing operator (a.), illustrated in Figure 2-1, simply attaches a new place and a 
new a-labeled transition to the “start” of a net: 


Definition 2.2.6 Let (N, Act) be a WT Net, and let a be a label in (Act U{r}) — {\/}. Then 
(P, Act) = a.(N, Act) is defined as: 


Sp = Sn {s.} 


Tp = Ty Ww {t.} 


prep(t) = fsa} ift = te 


prey (t) otherwise 
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a2 


6 6 


NL “ 


(N,, Act); (No, Act) 
Figure 2-2: An Example of Sequencing 


Starty ift=t, 
post,(t) otherwise 


it) = 4 t ift=t, 


postp(t) = 


ly(t) otherwise 


Startp = {s.} 
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Our sequencing operator (N,, Act); (No, Act) makes critical use of the ,/-transitions of Ny 
by relabeling them with 7 and using them as a hidden (7-labeled) signal to transfer control to 
Nz. We illustrate the definition of “sequencing” through the following simple example. Suppose 
that we are given the WT nets (N,, Act) and (No, Act) of Figure 2-2, and we want to define 
(Ni, Act); (No, Act). We want the firing of either of the ,/-transitions of N, to be a hidden 
signal that enables both 6; and bz to fire concurrently. Therefore, we relabel the \/-transitions 
of N, to 7, and then have both of these 7-transitions feed into both of the start places of No. 
The resulting net (Ni, Act); (No, Act) is given in Figure 2-2. The formal definition appears 


below. 
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Definition 2.2.7 Let (Ni, Act),(No, Act) be WT Nets with disjoint sets of places and tran- 
sitions and with a common alphabet, Act. Then (P, Act) = (Nj, Act); (No, Act) is defined 
as: 


Sp = SN, U SN, 
Tp = Ty, U Ty, 


_ ) prey,(t) ift € Ty, 
prep(t) = prey,(t) ift € Ty, 


posty (t) ift € Ty, and ly,(t) A V 
postp(t)= ¢ Starty, if t € Ty, and ly,(t) = / 
posty,(t) if t € Ty, 
ly,(t) ift € Ty, and ly,(t) 4 / 
Ip(th =< 7 ift€ Ty, and ly,(t) = / 
ly,(t) if t € Ty, 


Startp = Starty, 


Our non-communicating parallel composition operator ||, places two nets in parallel. In 
order to preserve the well-terminating property associated with ,/-transitions, the nets are 
required synchronize on the ,/-action. Our definition is illustrated in Figure 2-3. 


Definition 2.2.8 Let (NM, Act), (Ns, Act) be WT Nets with disjoint sets of places and transi- 
tions and with a common alphabet, Act. 


Then (P, Act) = (N,, Act) || (No, Act) is defined as: 


Sp = SN, U SN, 


Tp = {(ti, te) € Ty, x Ty, : ly, (ti) = ly, (tz) = V}¥ 
{(t,*) € Tw, x {43 bv, (1) A VF OL) € tr x Trt ly) # V9 


preép((ti,t2)) = prey, (11) U prey, (t2) 
prep((t,*)) = prey, (t) 
prep((*,t)) = prey, (t) 


postp((t1,t2)) = posty, (t,) U posty, (t2) 
postp((t, *)) = posty, (t) 
postp((*,t)) = posty, (t) 
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Vv Vv 
(Nj, Act) 
2g &. 
Qo 
. we NL 


(N;, Act) || (No, Act) 


2 
2. 
e. 


(No, Act) 


2. 
°. 


6 


Figure 2-3: An Example of Non-communicating Parallel Composition 
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Figure 2-4: An Example of CSP-style Parallel Composition 


Ip((ti, t2)) = V/ 
Ip((t, *)) = ly, (¢) 
Ip((#,t)) = ly, (t) 


Startp = Startn, U Starty, 


We also have a family of CSP-style parallel composition operators ||;, where L is a set of 
visible labels. This operator places two nets in parallel and requires them to synchronize on all 
actions in the set LU{,/}. In particular, the non-communicating parallel composition operator 
is definable as ||g. 

Our definition is essentially the same as [47], and is illustrated in Figure 2-4. 


Definition 2.2.9 Let (Ni, Act), (N2, Act) be WT Nets with disjoint sets of places and transi- 
tions and with a common alphabet, Act. Let LE C Act, and let Ly = LU {y/}. 
Then (P, Act) = (N,, Act)||,(Ne, Act) is defined as: 
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Sp = SN, U SN, 


Tp = {(t1, te) € Tn, x Ty, : ly, (t,) = ly, (te) and ly, (4) € Ly} 
{(t,*) € Tw, x {4} lw () € Ly} W {4 0) € tt x Ty, t ly, (0) € Ly} 


prep((t1,t2)) = prey, (t1) U prey, (te) 
prep((t,*)) = prey, (t) 
prep((*,t)) = prey, (t) 


postp((t1,t2)) = posty, (t,) U posty, (t2) 
postp((t, *)) = posty, (t) 
postp((*,t)) = posty, (t) 


Ip((ti, t2)) = Iw, (4) 
Ip((t, *)) = ly, (¢) 
Ip((*, t)) = lw, (t) 


Startp = Startn, U Starty, 


Similar to [15], we also have a CCS-style parallel composition operator |, where two nets 
are placed in parallel and are allowed to perform hidden synchronizations on all complemen- 
tary actions a,a@; however, they must (visibly) synchronize on the \/ action. Our definition is 
illustrated in Figure 2-5. 

We say that an alphabet Act is closed under complementation iff for all labels, a € Act 


implies that @ € Act, where @ de. 


Definition 2.2.10 Let (N,, Act), (N2, Act) be WT Nets with disjoint sets of places and transi- 
tions and with a common alphabet, Act, such that Act —{,/} is closed under complementation. 


Then (P, Act) = (N;, Act) | (No, Act) is defined as: 


Sp = SN, U SN, 


Tp = {LE Ty, : ly, () 4 V} fhe Ty, ly, (t) ZV} 
{(t,,t2) € Ty, x Tw, + lw,(t1) = Ty(ls) or ly,(t1) = ly,(t2) = V} 


prep((t1,t2)) = prey, (t1) U prey, (te) 
prep((t,*)) = prey, (t) 
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(N,, Act) (No, Act) 
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Figure 2-5: An Example of CCS-style Parallel Composition 
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Aa, a2 a 1 a 2 
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(Ny, Act) (No, Act) 


Oe 
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g, g, On, 0 


(M,, Act) a) (No, Act) 


Figure 2-6: An Example of Internal Choice 
prep((*,t)) = prey, (t) 


postp((t1,t2)) = posty, (t,) U posty, (t2) 
postp((t, *)) = posty, (t) 
postp((*,t)) = posty, (t) 


Ip((t1, t2)) = Vif ly,(t:) = ly, (te) = V 


7 otherwise 


Ip((t,*)) = In, 


Startp = Startn, U Starty, 


We now define the internal choice operator, illustrated in Figure 2-6, which corresponds to 
prefixing each net with 7, and then “merging” the resulting (necessarily exactly two) initially 
marked places: 


Definition 2.2.11 Let (N,, Act), (Ns, Act) be WT Nets with disjoint sets of places and tran- 
sitions and with a common alphabet, Act. Then (P, Act) = (N,, Act) @ (No, Act) is defined 
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as: 


Sp = SN, WwW SN, WwW {s} 
Tp = Ty, ¥ Ty, Y {t,, te}, where t,,t. are distinct 


{s} ift=t, ort = ty 
prep(t)= 4 prey (t) ifte Ty, 
prey,(t) ift € Ty, 


Starty, ift=t, 
Starty, ift = te 
posty (t) ift € Ty, 
posty,(t) ift € Ty, 


postp(t) = 


T ift=—t, ort = te 
ly,(t) if t € Ty, 


Startp = {s} 


We also wish to define the Milner’s CCS choice operator, +47, which allows non-deterministic 
choice between two nets. We illustrate the definition of +, through the following simple 
example. Suppose that we are given the WT nets (N,, Act) and (No, Act) of Figure 2-7, and 
we want to define (N,, Act) +4 (No, Act). Clearly, we want to introduce conflicts between the 
a; and the 6; but preserve the concurrency within the b;, and so we do a simple cross product 
construction on the start places of both nets. We note that this causes all the \/-labeled 
transitions to be in conflict, as desired. The resulting net is given in Figure 2-7. 

As discussed in [42], one technical complication arises due to initially marked places that 
have incoming transitions, and in general, we apply a start-unwinding operator on nets before 
doing the above construction. Our start-unwinding operator, illustrated in Figure 2-8, is es- 
sentially the same as that of [15, 42] and produces a net that is “essentially the same”! as the 
original net, except that all initially marked places have empty presets. The “start-unwound” 
net is identical to the original net whenever all initially marked places of the original net have 
empty presets. 


Definition 2.2.12 Let (N, Act) be a WT net, and let Start-cyclicy be the initially marked 
places of N that have non-empty presets, i.e., Start-cyclicy = {s € Starty : prey(s) £ 0}. Then 
(P, Act) = start-unwind((N, Act)) is defined as: 


Sp = Sy W {(*, 8): 8 € Start-cyclicy } 


'The resulting net is strongly history-preserving bisimilar [39] to the original net. 
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Figure 2-7: An Example of CCS$-style Choice 
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Figure 2-8: An Example of Start-Unwinding 
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Tp =Ty WU {(U,t):t €Ty,U £0, and U C Start-cyclicy N prey (t)} 


prep(t) = prey (t) 
prep((U,t)) = (prey (t) — U)U {(4, 5): 5 € U} 


postp(t) = posty(t) 
postp((U,t)) = posty(t) 


Ip(t) = L(t) 
Ip((U, t)) = Iw(t) 


Startp = (Starty — Start-cyclicy) U {(+*, 8): 8 € Start-cyclicy } 


Using this start-unwinding operator, we now define the +,, operator on nets. 


Definition 2.2.13 Let (N,, Act), (N2, Act) be WT Nets with disjoint sets of places and transi- 
tions and with acommon alphabet, Act. Let (Nj, Act) and (N35, Act) be start-unwind((N,, Act)) 
and start-unwind((No, Act)), respectively. Then (P, Act) = (N,, Act) +4 (No, Act) is defined 
as: 


Sp = (Sy; — Starty) YW (Swi — Starty:) W (Starty: x Starty:) 


i(t) — Starty:) U {(1, $2) € Sp: s, € prey: (t)} if t € Ty 
preyi(t) — Starty:) U {($1, $2) € Sp: s2 € preyi(t)} if t € Ty; 
(t) 
(t) 


posty.(t 


postp(t) = postyy, 1 


ly: (t) ifte Ty; 


Startp = Starty: x Starty: 


Two other simple WT net operators play a significant role in our technical development. 
Namely, split refinements (split(aay,a_)) replace every a-labeled transition by two consecutive 
transitions labeled a, and a_, and choice refinements (choice(aa,,ap)) tTeplace every a-labeled 
transition by two conflicting transitions labeled a; and ag. Figure 2-9 gives examples of these 
kinds of refinements. 
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(N, Act) splitiaa,,a_\((N, Act)) choiceaaran)((N, Act)) 
Figure 2-9: Split Refinements and Choice Refinements 


Definition 2.2.14 Let (N, Act) bea WT Net, and let a,a,,a_ € Act —{.\/}. Then (P, Act) = 
spliltaa,,a_\((N, Act)) is defined as: 


Sp = Sn W {(*,t):t € Ty and ly(t) = a} 
Tp = {t € Ty: ly(t) F a} w {(¢, +), (t, -): t € Ty and Iy(t) = a} 
prep(t) = prey(t) 


prep((t, +)) = prey (t) 
prep((t, —) 


postp((t, + 
postp((t, — 


Startp = Starty 


Definition 2.2.15 Let (N, Act) be a WT Net, and let a,az,az € Act —{\/}. Then (P, Act) = 
choice(aar,az)((N, Act)) is defined as: 


Sp = Sn 


Tp = {t€ Tw: ly(t) Fas WU {4 L),(t, RB): t © Ty and ly(t) = a} 
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prep(t) = prey (t) 
prep((t, L)) = prey(t) 
prep((t, R)) = prey (t) 

postp(t) = post, (t) 
postp((t, L)) = posty (t) 
postp((t, R)) = post, (t) 


Startp = Startn 


The following theorems show that the class of WT Nets is closed under all of the operators, 
and that we are justified in referring to the WT Net operators as “CCS/CSP-style” operators. 


Theorem 2.2.16 The class of WT Nets is closed under prefixing (a.), restriction (\a), hid- 
ing (—a), renaming ([f]), CSP-style sequencing (;), non-communicating parallel-composition 
(||), CSP-style parallel-composition-with-synchronization (||, ), CCS-style parallel-composition- 
with-hiding (|), internal choice (G), start-unwinding, CCS-style choice (+y,), split, and choice. 


Proof. The proof is very straightforward but tedious. As an illustration, we prove the 
case for start-unwinding; the remaining cases are left to the reader. 

Let (N, Act) be a WT Net and let (P, Act) = start-unwind((N, Act)). It is easy to see that 
all transitions in P have labels from Act U {7}, Startp is finite, and every transition in P has 
finite in-degree and out-degree. 


A straightforward inductive argument shows that if t/...¢, is a run of P resulting in the 
marking M’ of P then: 


e t,...¢, is arun of N, where ¢) = ¢; if t} € Ty, and t) = (U,t;) for some U otherwise. 


e The marking reached firing after t;...t, in N is given by the function M, where M(s) = 
M'(s) for every s € Sy — Start-cyclicy and M(s) = M'(s) + M'((*,s)) for every s € 
Start-cyche. 


It is then easy to see from the definition of start-unwind that P is 1-safe, only a finite num- 
ber of transitions are enabled under any reachable marking of P, and that all places in P are 
unmarked immediately after any \/-labeled transition fires; hence (P, Act) is a WT Net. : 


Except for the parallel composition operators, all of our net operations are closely related 
to the corresponding CCS/CSP operators on labeled transition systems (Its’s), cf. [7, 30]. In 
particular: 
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Theorem 2.2.17 For all the CCS/CSP WT net-operators other than ||, ||;, and |, the /ts of the 
constructed net is strongly bisimilar to the its obtained by applying the corresponding CCS/CSP 
lts-operator to the /ts’s of the component nets. Also, lés((N,, Act)||,(No, Act)) is strongly bisim- 
ilar to lts((N,, Act))||ruglts((\No, Act)) and Uts((.Ni, Act) || (No, Act)) is strongly bisimilar 
to lis((N,, Act))||¢,lts((N2, Act)). Lastly, Its((N,, Act) | (N2, Act)) is strongly bisimilar to 
lts((.N,, Act)) | lts(( No, Act)), except that visible synchronization is required on ,/-actions. 


Proof. As an illustration, we prove the case for +;,. The remaining cases are straightfor- 
ward but tedious and are left to the reader. 

We first prove that for all WT Nets N, the Its of (N, Act) is strongly bisimilar to the ls of 
start-unwind((N, Act)). Let 


B= {(M,M'): M'‘ is a reachable marking of start-unwind((N, Act)), 
M(s) = M"(s) for all s € Sy — Start-cyclicy,, 
and M(s) = M'(s) + M'((«,s)) for all s € Start-cyclicy } 


Using an argument similar to that in the proof of Theorem 2.2.16, it is straightforward to 
show that B is a bisimulation between the Its of (N, Act) and the lts of start-unwind((N, Act)). 

Let (Nj, Act) and (N45, Act) be start-unwind((N,, Act)) and start-unwind((No, Act)), re- 
spectively, and let 


C = {(M, M'): M’ is a reachable marking of (Ni, Act) +y¢ (No, Act) and 
M = {8, € Starty: : (81,82) € M’ for all sy € Starty: } 
U {82 € Starty: : (81,82) € M’ for all s, € Starty: } 
U (M'A ((Siy: — Starty:) U (Sixx — Starty:)))} 


We observe that since Starty; and Starty, have empty presets, the definition of +4 ensures 
that firing any initial transition of Nj in (N,, Act)+ 4 lts((No, Act) ) will disable all transitions of 
Nj, and vice-versa. We further observe that for any reachable marking of (N,, Act)+y4 (No, Act) 
and any s; € Starty:, if some place (s;, 82) is empty while some place (5), s,) contains a token, 
then a transition of Nj must have fired, and vice-versa. It is then straightforward to show from 
the definition of +y, on nets and labeled transition systems that C is a strong bisimulation 
between lts((N{, Act)) +y, lts((.N3, Act)) and the lts of (Ny, Act) +44 Its(( No, Act)). The details 
are left to the reader. 

Since strong bisimulation is a congruence with respect to +y, (cf. [30]), the presence of C 
together with the above fact about start-unwinding immediately implies that Its((N,, Act)) +1 
lts({ No, Act)) is strongly bisimilar to the lts of (N,, Act) +i (No, Act). = 


The following propositions show that internal choice and CCS-style parallel composition 
can be “programmed” from the other operators. These propositions will be helpful in proving 
properties about the WT Net operators. 


Proposition 2.2.18 Let (N,, Act),(N2, Act) be WT Nets with disjoint sets of places and tran- 
sitions and with a common alphabet, Act. Then there is a net context C[-,-] built from prefixing 


and CCS choice such that C[(N,, Act), (No, Act)] is isomorphic to (Ny, Act) G (No, Act). 
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Proof. It is easy to show that (N,, Act) @ (No, Act) is isomorphic to the net 
(7.(N,, Act)) +4 (7.(.No, Act)). 


The details are trivial and are left to the reader. r 


Proposition 2.2.19 Let (N,, Act),(N2, Act) be WT Nets with disjoint sets of places and tran- 
sitions and with a common alphabet, Act, such that Act —{,/} is closed under complementation. 
Then there is a net context C]-,-] built from action expansion and shrinking, CSP-style parallel 
composition, choice refinements, and hiding such that C[(N;, Act), (No, Act)| is isomorphic to 
(N,, Act) | (No, Act). 


Proof. Let {a,,a@%,...,@%,@} = Act —{,/}, and let Act’ = fa‘,a),...,a/,,a/,} be distinct 
symbols not in Act. Let o and o’ be the sequences of choice refinements 


c= Choice (as,ay,0') . choice aa) Lee Choice a, axa.) . choice ge za) 


1 . _ | ae . | oo 
c= Choice a a, ar) choice a aat) ++ Choe a, a, a) choice, a,a!,) 


Let 


(Ni, Act’) act o((N,, Act) grow Act’) 


(N35, Act’) act o'((Nz, Act) grow Act’) 


Then it is straightforward to show that 
(N,, Act) | (No, Act) = (((Nq, Act”) || acerur (NS, Act”))— Act’) shrink Act, 


where equality refers to net isomorphism, and — Act’ is shorthand for successively hiding each 
action in Act’. The details are straightforward and are left to the reader. 7 


Chapter 3 


Semantics of Well-Terminating Nets 


3.1 Testing Equivalence 


This chapter develops some semantics for WT Nets that are compositional for all the WT Net 
operators presented in Chapter 2 and are respectively adequate for MAY-equivalence, MUST- 
equivalence, and Testing Equivalence [19]. Some fully abstract versions of these semantics are 
then presented. 


Definition 3.1.1 A semantics, [-], assigning to any process, P, a meaning, [P], is composi- 
tional for an operator on processes if semantic equality is a congruence for the operator, 7.e., 
the operator preserves semantic equality. We say that a semantics is adequate for an equiv- 
alence on processes if semantic equality implies process equivalence. Finally, we say that a 
semantics is fully abstract for a process equivalence with respect to a set of operators if the 
semantics is adequate for the equivalence and semantic equality is the coarsest congruence for 
those operators. 


We presume that the reader is familiar with the experiment-based theory of MAY-equivalence, 
MUST-equivalence, and Testing equivalence on labeled transition systems developed in [19]. In 
order to keep this thesis relatively self-contained, we repeat the basic definitions here. 

The idea behind experiment-based testing is that experimenters are given the ability to 
interact with processes in a way that affects both the process and the experimenter. In order to 
model success of an experiment, a special action w is chosen to represent success. In this setting, 
both processes and experimenters are labeled transition systems over a common alphabet, 
except that in addition, the experimenter is allowed to independently perform the special actions 
1 and w. Processes do not have the ability to perform either 1 or w. Both the experimenter and 
the process must “move together” on visible actions in the common alphabet, but can move 
independently on the 7 action. In general, the behavior of an experimenter on a process is 
non-deterministic. 

An experiment is a sequence of possible interactions between an experimenter and a process. 
Such a sequence is a computation iff it is an interaction which cannot be extended, 7.e., it is 
a maximal sequence of interactions. A computation is successful iff the experimenter passes 
through a state in which the w action is enabled. We say that a process, p, may satisfy an 
experimenter, e, iff some interactive computation between e and p is successful. We say that a 
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process, p, must satisfy an experimenter, e, iff every interactive computation between e and p 
is successful. 


Definition 3.1.2 Let 7S, and 7S, be labeled transition systems respectively over alphabets 
Act,, Actz, where Act, and Act. may contain the 7 action but do not contain the 1 or w action. 
Let EF be the set of labeled transition systems over Act, U Act, U {1,w}. Then 7S; and T'S, 
are MAY-equivalent iff Act, = Acty and TS, and T'S may satisfy the same set of experimenters 
in &. Similarly, 7S, and 7S, are MUST-equivalent iff Act; = Act, and T'S, and T'S. must 
satisfy the same set of experimenters in F. 7S, and 7’S»_ are Testing-equivalent iff they are 
both MAy-equivalent and MUST-equivalent. 


The definitions of these equivalences carry over directly to WT Nets: two WT Nets will 
be said to be MAy-equivalent, MUST-equivalent, or Testing equivalent iff their labeled transi- 
tion systems are respectively MAY-equivalent, MUST-equivalent, or Testing equivalent under the 
above definition. We assume without loss of generality that for any WT Net, (N, Act), the 
special actions 1 and w are not in Act. 

For technical simplicity, we will work with an alternate formulation of these equivalences, 
namely, partial trace equivalence [19, 30] and failures equivalence [7, 8, 9, 21]. In order to keep 
this thesis relatively self-contained, we repeat the definitions here: 


Definition 3.1.3 Let 7S be a labeled transition system, (S$, ActU{7}, —, Sinit), where Act is 
a set of visible actions. A state s is divergent iff s can perform an infinite sequence of 7-actions. 
A failure set of a state s is any set of visible actions, a, that are not enabled at s, even after 
further performing any finite sequence of r-labeled actions; that is, s A>. Then: 


traces(T'S) © {v € Act™ : sinit =>} 


F(TS) af {(v, F): v € Act", F C Act, and there is some state s such that 
Sinit => s and F is a failure set of s} 


U{(v, F):0€ D(TS) and FC Act} 


D(TS) = 


{v-v': 0, v' € Act* and sini, —> s for some divergent state s} 


For any WT Net (N, Act), we define traces((N, Act)) af traces(lts((N, Act))), F((N, Act)) def 


F(ls((N, Act))), and D((N, Act)) & D(lts((N, Act))). 


Proposition 3.1.4 Let 7S, and 7S, be labeled transition systems respectively over finite 
alphabets Act,, Act., where Act, and Act. may contain the 7 action but do not contain the 1 
or w action. Then 


e 7S, and TS, are MAy-equivalent iff Act; = Act, and traces(T'S,) = traces(TS.). 


e 7S, and T'S are MuST-equivalent iff Act; = Act., F(TS,) = F(TS2) and D(TS,) = 
D(TS2). 
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e 7S, and 7S are Testing-equivalent iff Act; = Acts, traces(T'S,) = traces(TS2), F(1S)) = 


The proof is a straightforward generalization of that in [19] and is left to the reader. 

As shown in [19], MAY-equivalence, MUST-equivalence, and Testing-equivalence are compo- 
sitional for all the standard CCS/CSP operators on labeled transition systems. Furthermore, 
they are compositional for (the natural definition of) choice refinements on labeled transition 
systems. Similar properties hold for WT Nets: 


Proposition 3.1.5 MAy-equivalence, MUST-equivalence, and Testing-equivalence on WT Nets 
are compositional for all our CCS/CSP-style operators, choice refinements, and alphabet ex- 
pansion and shrinking. 


The proof is analogous to that of [19] and is omitted. 

Since labeled transition systems are inherently sequential, these equivalences are also com- 
positional for (the natural definition of) split refinements on labeled transition systems. A 
similar result holds for purely sequential WT Nets: 


Proposition 3.1.6 MAy-equivalence, MUST-equivalence, and Testing-equivalence are composi- 
tional for split refinements on sequential WT Nets, in which no transitions can fire concurrently 
in any reachable marking. 


Proof. Let (N, Act) be a sequential WT Net, and let a,a,,a_ be distinct symbols in Act. 
For any sequence v € Act”, we define spliliaa,,a_)(Y) to be the sequence a; ...a),;, where each 
a; = a,.a_ if v[i] = a, and a; = v[?] otherwise. 

Firing any newly-created a,-labeled transition in splita¢,4_\((N,Act)) has the effect of 
“half-firing” the corresponding a-labeled transition of NV, 7.e., removing all the tokens from the 
preset of the a-labeled transition but not placing any tokens in its post-set. Since (N, Act) 
is a sequential net, a_ is thus the one and only action enabled in split, 4, ¢_)((N, Aet)) after 
performing any sequence of transitions that ends with an occurrence of a newly-created a4,- 
labeled transition. 

It is then straightforward to show that 


traces( splitia a, a_)((N, Act))) = 
{splitiaaya_)() : v0 € traces((N, Act))} U {splita a, a_)(V) a4 : v-a € traces((N, Act))} 


F(splitea.ay,a-y AN, Act))) = 
{(splitiaa,a_)(v),#") : there is some F with (v, F) € F((N, Act)) such that 
I’ CFU {a}, and if a, € F’ then a € F} 
U {(splitraa,a_(v) > a4, FY): (v-a, 0) € FUN, Act)) and EF” C Act —{a_}} 
U{(v, F) : v € D(splita a, a_\((N, Act))) and FC Act} 


D(splitiaa,.a_\((N, Act))) = {splitaa,a_)(v) 0" + v € D((N, Act)) and v' € Act”} 
The proposition is then a simple consequence of Proposition 3.1.4. : 


However, as is well-known, neither MAY-equivalence, MUST-equivalence, nor Testing equiv- 
alence on arbitrary WT Nets is compositional for split refinements: 
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splitiaa,,a_\((N1, Act)) O 0 


splitiaa,a_\(N2, Act)) 


Figure 3-1: Standard Example 


Proposition 3.1.7 ([10]) MAy-equivalence, MuUST-equivalence, and Testing equivalence are 
not compositional for split refinements on arbitrary WT Nets. 


Proof. It follows easily from Definition 3.1.3 and Proposition 3.1.4 that if any two 
divergence-free WT Nets are trace inequivalent then they are MAY-inequivalent, MUST-inequivalent, 
and Testing-inequivalent. To prove the proposition, we repeat the example given in [10], and il- 
lustrated in Figure 3-1. It is easy to show that (N,, Act) and (No, Act) of Figure 3-1 are Testing- 
equivalent. However, splitia 4, a_)((Ni, Act)) and splitia a, a_)((N2, Act)) are trace-inequivalent, 
since a,ba_ is a trace of splitia a, a_)((Ni, Act)) but not of split, a, a_)((N2, Act)). We note 
that (N,, Act) is not a sequential net, since the a-labeled and b-labeled transitions can fire 
concurrently. : 


It is well-known that trace-inequivalent /ts’s cannot be strongly bisimilar (cf. [30]). Since 
the labeled transitions systems of (N,, Act) and (No, Act) of Figure 3-1 are strongly bisimilar, 
the same example shows that no interleaving semantics (that lies in between trace equivalence 
and strong bisimulation) can be compositional for split refinements on arbitrary WT Nets. As 
is discussed in [39, 49], it is necessary keep track of “pomsets”, which generalize linear sequences 
of actions to multi-sets of actions partially ordered to reflect causality and concurrency. 


3.2. Some Compositional Semantics for WT Nets and Operators 


We begin with the standard notions of pomsets. 
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Definition 3.2.1 A pomset is a labeled partial order. Formally, a pomset, p, consists of a 
set Events, whose elements are called events, a set Labels, whose elements are called labels, a 
function label,: Events, —Labels,, and a partial order relation <, on Events,. We say that p is 
a pomset over an alphabet Act iff Act contains all the labels of p. 

If p is a pomset with an empty carrier, we often simply write 9 to denote p. If p is a pomset 
with a single event, labeled a, we often simply write a to denote p. 

We say that event e causes event e’ in a pomset p iff e <, e’. The downward-closure, 
down,(e), of event e in a pomset p is {e’ € Events, : e’ <, e}. The downward-closure, down,(E), 
of a subset F of Events, is FU U{down,(e): e € £}; E is downward-closed iff down,(£) = E. 
We write min(p) to denote the set of events in p that are minimal with respect to <,, ie., 
events that do not have any causes in p. We write maz(p) to denote the set of events in p that 
are maximal with respect to <,, 7.e., events that do not cause any event in p. We say that event 
e is a maximal cause of an event e’ in pomset p iff e <, e’ and there is no event e” € Events, 
such that e <, e” <, e’. 

The size of a pomset p, written |p|, is the size of the set Events,. A chain in p is a sequence 
of events %1%...2,% of psuch that x; <p ®2 <p... <p» tg. The depth of an event x in p, written 
depth, (x), is the maximum length of any chain in p of the form 2, <p @ <p ...<p ®% <p 2, for 
any events 2,,...,%,. The depth of p, written depth(p), is the maximum length of any chain in 
p. 

A cut of p is any subset C' of Events, such that no two distinct events in C’ are causally 
related by <,. The width of p is the maximum size of any cut of p. 

A pomset p is a prefix of a pomset gq iff p is a restriction of g to a downward-closed subset 
of Events,. 

A function f is an isomorphism between pomset p and pomset q iff it is a label-preserving 
order-isomorphism, namely, 


e f: Events, Events, is a bijection, 
e label, = label, o f, 
ee <, e' iff fle) <, f(e’) for all e,e’ € Events,. 


A pomset p’ is a linearization of a pomset p iff it has the same events and labels as p and 
<, is a total ordering that contains <,. For any pomset q such that <, is a total ordering and 
any 1 <i < |Events,|, the 7 largest event of ¢ is the (necessarily unique) event e € Events, 
such that the longest chain e; <,...<, €x <q € in q is of length 2. 


We now define the pomsets arising from WT Nets: 


Definition 3.2.2 The places of a transition ¢t of a net N are the places directly connected to 
it, z.e., the union of the preset and postset of t. Let ¢,,t2 be transitions of a net N. We say 
that ¢, and t. are statically concurrent in N iff the places of t, are disjoint from the places of 
to. 

A transition-sequence is a sequence of transitions of a net N. For transition-sequence r = 
t,...t, and 1 <i <n, we write r[t] to denote the 7” element, t;, of r. The transition-pomset 
of r = t,...t, has as events the integers from 1 to n, where the label of event 2 is ¢; and 
the partial ordering is the transitive closure of the following “proximate cause” relation: event 
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Figure 3-2: An Example of a Transition-pomset and Pomset-trace 


a proximately causes event 7 iff i < 7 and ¢; and ¢; are not statically concurrent in N, ef. 
Figure 3-2. The pomset-runs of a WT Net (N, Act) are the transition-pomsets of runs of N (ef. 
Definition 2.1.1). 

If ¢ is a transition-pomset of N, then visible(q) is the restriction of q to its events with 
visible-transition labels (cf. Definition 2.1.1); furthermore, the label of each event 2 is the label 
of transition /,(7) (rather than transition /,(7) itself). The pomset-traces of a WT Net (N, Act) 
are the set of visible(q) such that q is a finite pomset run of N, cf. Figure 3-2. 


It is well known (cf. [42]) that there is a uniquely determined final marking associated with 
each finite pomset run of a net; this is the marking reached after sequentially firing the events 
of the run in any order that is consistent with its partial order. 


Proposition 3.2.3 Let r be arun of a net N, let p’ be a linearization of the transition-pomset 
of r, and let r’ be the transition-sequence corresponding to p’, t.e., r’ = t; ...t,;, where each ¢; 
is the label of the 2‘ largest event of p’. Then r’ is a run of N reaching the same final marking 
as fr. 


Proof. Let v be the sequence e;...€),;, where each e; is the i largest event of p’. Then 
it is easy to see that v is a permutation of the sequence 1...|r|, and r’[?] = r[v[?]] for all 
1<i< |r}. 

We prove the proposition by induction on the number, n, of pairs (7,7) such that i < 7 (as 
integers) but v[?] > v[7] (as integers). The base case of n = 0 is trivial. 

For the induction step, let n > 1. Then there is some k such that v[k] > v[k +1]. Let w be v 
with the k** and k + 1 elements “swapped”; that is, w[k] = vo[k+1], w[k+1] = v[k], and w and 
v agree on all other indices. Clearly, the number of pairs (7,7) such that i < 7 but w[t] > wl] 
is strictly less than n. Let p” be the (totally-ordered) transition-pomset with the same labels 
and events as p’ and such that for all events e,e’ € Events)”, € <p e’ iff e occurs before e’ in 
the sequence w. It is easy to show that p” is a linearization of the transition-pomset of r. Thus, 
by induction, the transition-sequence r” corresponding to p” is a run of N reaching the same 
final marking as r. Furthermore, it is easy to see that r”[i] = r[w[t]] for every 1 <7 < |r|. 

Since p’ is a linearization of the transition-pomset of r, clearly, event v[& + 1](= w[k]) must 
not cause event v[k](= w[k + 1]) in the transition-pomset of r, and so by Definition 6.2.1, tran- 
sition r[w[A]] and transition r[w[k + 1]] are statically concurrent in N. Furthermore, since r” 
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is a run of N, all places in the preset of transition r[w[k + 1]] must be marked after the run 
r[w(l]]...r[w[A]]. The definition of static concurrency implies that no firing of transition r[w[k]] 
can add any tokens to the preset of transition r[w[A+1]]; thus, transition r[w[&+1]] must be en- 
abled after the run r[w[1]]...r[w[é —1]] as well. Conversely, all places in the preset of transition 
r|w[k]] must be marked after the run r[w[1]]...r[w[k—1]]. The definition of static concurrency 
implies that no firing of transition r[w[k + 1]] can remove any tokens from the preset of r[w[é]]; 
thus, r[w[k]] must be enabled after the run r[w[1]]...r[w[A — 1]]r[w[& + 1]] as well. It then 
follows easily that r[w[1]]...r[w[k — 1]]r[w[A + 1]]r[wlk]] is a run of N reaching the same final 
marking as the run r[w[1]]...r[w[k—1]]r[w[k]|r[w[k+ 1]], from which the lemma follows easily. m 


Our definition of “pomset-failures” is a natural generalization of (sequential) “failures” in 
that it associates “failure sets” to finite pomsets. 


Definition 3.2.4 A pomset-failure is a pair (p, F), where p is a finite pomset, and F is a finite 
set of labels. We say that (p, F’) is a pomset-failure over an alphabet Act iff Act contains all 
the labels of p and FC Act. 


We define a “failure set” of a marking as any set of visible actions that are not enabled under 
that final marking, even after further firing any finite sequence of 7-labeled transitions. This is 
exactly the standard definition of “failure sets” of states of the labeled transition system of the 
net (cf. Definition 3.1.3). Using Proposition 3.2.3, we can unambiguously refer to the marking 
of a net reached after a pomset-run. 


Definition 3.2.5 The pomset-failures of a WT Net (N, Act) are the pairs (visible(q), F) such 
that q is a finite pomset run of N and F C Act is a failure set of the marking after gq. 


We also wish to define a notion of “pomset-divergences” that is a natural generalization of 
(sequential) “divergences.” 


Definition 3.2.6 A pomset-divergence is a pair (p, D), where p is a finite pomset and D is a 
non-empty set of downward-closed subsets of Events,. We say that (p, D) is a pomset-divergence 
over an alphabet Act iff Act contains all the labels of p. 


Given any pomset run with only a finite number of visible events, it is easy to see that any 
infinite chain of t-labeled-events indicates a divergence of the net. We wish to define pomset- 
divergences of nets in such a way that we keep track of all the concurrent divergences within a 
pomset run while abstracting away from the 7-labeled events. 


Definition 3.2.7 Let q¢ be an infinite pomset run of a WT Net (N, Act) with a finite number 
of visible events. Let D be the family of sets of the form (events of) visible(down,(C)) such 
that C’ is an infinite chain of 7-labeled events of g. Then (visible(q),D) is a pomset-divergence 


of (N, Act), cf. Figure 3-3. 


It turns out that the semantics defined by simply taking these pomset-failures and pomset- 
divergences makes too many distinctions between nets, and we need to “blur” certain kinds of 
information from our runs. This we accomplish through various closure operations. The first 
such closure involves taking “augmentations” of our pomset-failures and pomset-divergences. 
We first restate the standard definition for pomsets, where an augmentation is simply an increase 
in the partial ordering. 
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Figure 3-3: An Example of a Pomset Divergence (p, D) 


Definition 3.2.8 Pomset p’ is an augmentation of pomset p iff p and p’ have the same set 
of events with the same labels, and the partial ordering of p’ contains the partial ordering of 
p. Let augment(p) be the set of augmentations of p. The augmentations, augment((p, F)), 
of a pomset-failure (p, f’) is the set {(p’, F’) | p’ © augment(p)}. For pomset-divergences, let 
augment((p, D)) be 


{(p', D’) : p' € augment(p) and D! = {down,:(d): d € D}} 


We write p’ > p iff p’ is an augmentation of p, and write (p’, D’) > (p, D) iff (p’, D’) is an 
augmentation of (p, D). 


Our other closure operation arises from the fact that MUST-experiments fail to yield in- 
formation about the behavior of a net after a divergence. To get around this difficulty, we 
define below the notion of an extension of a pomset-divergence; the idea is that the extension 
is another pomset-divergence which may contain more information concerning events and di- 
vergences which “happen after” one or more divergences in the original pomset-divergence. All 
the information about a process after a pomset-divergence is blurred by throwing in all possible 
pomset-failures and pomset-divergences which extend the original pomset-divergence. 


Definition 3.2.9 Pomset-divergence (p’,D’) extends pomset-divergence (p,D), 
written (p,P)C(p’, D’), iff 


pis a prefix of p’ 
for all e € p’ — p, there is some d € D with d C down,:(e); and 
for all d' € D’, there is some d€ D with dC d’. 


For any alphabet Act which contains all the labels in pomset p, let extend4.¢((p, D)) be the 
set of pomset-divergences over Act which extend (p, D). Finally, let 


implied-failures 4..((p, P)) af {(p, F): FC Act}. 
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We lift these operations on individual pomsets, failures, etc., to sets of individuals by point- 


wise union. For example, 
augment( X ) af UJ augment(x). 
rex 


We are now ready to define the pomset versions of the MAY-, MUST-, and Testing-semantics. 
Definition 3.2.10 For any WT Net (N, Act), 


[(N, Act)” & (augment(pomset-traces((N, Act))), Act) 
Div((N, Act)) af augment( extend 4.4 (pomset-divergences((N, Act)))), 
Fail((.N, Act)) “ augment (pomset-failures({N, Act))) U implied-failures 4 ,,( Div((N, Act))), 
[(N, Act)]“°? & (Fail((N, Act)), Div((N, Act)), Act), 
[(V, Actyy™* S([(N, Act), [(N, Act) Py, 
Our definition of semantical equality implicitly equates label-preserving order-isomorphic 


pomsets. 
We observe that: 


Proposition 3.2.11 For any WT Net (N, Act), if [(NV, Act)]“*’ = (PT, Act) and [(N, Act) ]“°°* 
= (PF, PD, Act), then PT is a set of pomset-traces over Act, PF’ is a set of pomset-failures 
over Act, and PD is a set of pomset-divergences over Act. 


The proof is trivial and is left to the reader. 


Theorem 3.2.12 [-]“*Y, [-J“°7, and [-]7°°" on WT Nets are respectively adequate for MAy- 


equivalence, MUST-equivalence, and Testing-equivalence. 


Proof. There is an obvious correspondence between sequences of actions and linearly- 
ordered pomsets, which we implicitly use in the equalities below. Since the [-]“** and [-]”’°" 
semantics are augmentation-closed, it is straightforward to show that for any WT Net (N, Act), 


traces((N, Act)) = {v € fst([(N, Act)]}“*” ): v is linearly ordered} 
F((N, Act)) = {(v, F): v is linearly ordered and (v, F’) € fst([(NV, Act)]¥"°")} 
D((N, Act)) = {v: v is linearly ordered and (v, D) € snd([(N, Act)]“"*") for some D} 


Act = snd([(N, Act)J*") = _ third([(N, Act)]*"*") 


from which the theorem follows directly. : 


The following closure properties of the semantics will be useful in proving compositionality. 
We extend the definition of prefixes to pomset-divergences: 
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Definition 3.2.13 Let (p,D,),(¢,D,) be pomset-divergences. Then (p,D,) is a prefix of 
(q, D,) iff p is a prefix of g and D, C D,. 


Proposition 3.2.14 Let (N, Act) be a WT Net. Then pomset-traces((N, Act)) is a prefix- 
closed set of pomset-traces and and pomset-divergences(({N, Act)) is a prefix-closed set of pomset- 
divergences. Furthermore, for any pomset-failure (p, /’) and prefix q of p, if (p, F’) is a pomset- 
failure of N, then so is (q,9). 


Proof. The proposition is easily proved from the definitions of pomset-traces, pomset- 
failures, and pomset-divergences of nets. : 


Proposition 3.2.15 Let (p,D,), (¢,D,), and (r, D,) be pomset-divergences with (p,D,) C 
(q,D,) X (r, D,). Then there is some (p’, D,-) E (r, D,) such that (p’, D,-) is an augmentation 
of a prefix of (p, D,). 


Proof. Let p’ be the restriction of r to the set {e € Events, : down,(e) C p}, and let 
Dy = {down (d):d € D, and d C p'}. The remainder of the proof is straightforward and is 
left to the reader. 7 


Proposition 3.2.16 Let (p,D,), (¢,D,), and (r, D,) be pomset-divergences with (p,D,) x 
(q,D,) EG (r, D,). Then there is some (q', Dy) X (r, D,) such that (¢’, D,) extends (p, D,). 


Proof. Let q' have the same events and same labels as r, and let D, = D,. Furthermore, 
define <, as z <, y iff x € Events, and x <, y. The remainder of the proof is straightforward 
and is left to the reader. 7 


Proposition 3.2.17 Let p,g,q’ be pomsets such that p < q and q’ is a prefix of g. Then there 
is some p’ < q’ such that p’ is a prefix of p. 

Let (p, Dp), (¢, Dy), (7, Dy) be pomset-divergences such that (p,D,) < (¢,D,) and (¢, Dy) 
is a prefix of (¢,D,). Then there i is some (p’, Dy) < (q', Dy) such that (p', Dp) is a prefix of 
(p, Dp). 

Let (p, Dp), (¢, Dy), (7, Dy) be pomset-divergences such that (p, D,) € 
is a prefix of (¢,D,). Then there j is some (p’, Dy») C (q’, Dy) such that (p’, 
(p, Dp). 


3 D,) and (7, De) 


D,:) is a prefix of 


Proof. Let p’ be the restriction of p to Events, and, for the second and third parts, let 
Dy = {d € D,: dC Events, }. The remainder of the proof is straightforward and is left to the 
reader. 7 


Proposition 3.2.18 Let (N, Act) be a WT Net. Then Fail((N, Act)) is an augmentation- 
closed set of pomset-failures and Div((N, Act)) is an augmentation-closed and extension-closed 
set of pomset-divergences. 
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Proof. It is easy to see from Definition 3.2.10 and the definition of implied-failures that 
that both sets are augmentation-closed. The extension-closure of Div((N, Act)) is a simple 
consequence of Proposition 3.2.16. rT] 


The following operations on pomsets and pomset-divergences correspond to our operators 
on WT Nets and will be useful in proving compositionality of our semantics. 


Definition 3.2.19 Let p be a pomset and aa label. We define p with a to be the set of pomsets 
p’ such that p is a prefix of p’, there is exactly one event in p’ — p, and this event is a-labeled. 


Definition 3.2.20 Let p be a pomset and let X be a set of maximal events in p. Then p— X 
is p restricted to Events, — X. 


Definition 3.2.21 Let p be a pomset, (p, D) a pomset-divergence, and a a label. We define 
a.p to be the pomset with Events,, = Events, U {e,} for some e, ¢ Events,, la p(ea) = a 


and J, agrees with J, on Events,, and <a ,= <p» U ({ea} xX Events, ). Furthermore, a.(p, D) def 
(a.p, {dU {eg}: d € D}). 


Definition 3.2.22 Let p be a pomset, (p, D) a pomset-divergence, and a a label. We define 
p—a to be p restricted to its events that are not a-labeled, and 


(p, D)— a “ (p—a,{dn Events, 4: d € D}). 


Definition 3.2.23 Let p be a pomset, (p, D) a pomset-divergence, and f a function from labels 
to labels whose domain contains all the labels in p. Then p[f] has the same events as p with 
the same ordering, but l,,7; = f ol,. Furthermore, (p, D)[f] def (p[f], D). 

Definition 3.2.24 Let p and gq be pomsets with disjoint sets of events. We define p;q to be 
the pomset such that Events,., = Events, U Events,, /,., agrees with /, on Events, and agrees 
with J, on Events,, and <,.~= <,U <, U (Events, x Events, ). 


Definition 3.2.25 Let p be a pomset, (p, D) a pomset-divergence, and a,az,ap labels. Then 
choice(aaz,az)(P) is the set of pomsets q with the same events and same ordering as p and such 
that 1, agrees with J, on all non-a-labeled events of p, and [,(a) = az or [,(%) = ap for all 
a-labeled events x of p. Furthermore, 


. def : 
choiceaar,ar)((PsD)) = {(q,D):¢ € choiceaa;.ar)(P)}- 


Definition 3.2.26 Let p be a pomset, a,a,,a_ be labels, and H C {x € maz(p):1,(2) = a}. 
Then split, a, ,a_,H)(P) is defined to be the pomset g with all a-labeled events in H “half-split” 
and all other a-labeled events “fully split,” z.e., 


e Events, = {(y,0) € Events, : 1,(y) a} U {(y, 1): y € H} 
U{(y,1),(y,2): y € Events, — H and I,(y) = a}. 


e For all (y,2) € Events,, (,((y,1)) = a4, U,((y,2)) = a_, and 1,((y,0)) = U,(y). 


e For all (z,7),(y,7) € Events,, (2,7) <, (y,j) iff either « <, y or (w =, y andi < 9). 
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We then define: 
. def . 
spliliaa,,a_)(P) = {splitiaay.a_,H(P): HC {x € max(p): 1,(x) = a}} 


Our definition of ||4 on pomsets generalizes that of [8, 21] on sequences of actions. In 
particular, we are careful to prohibit synchronizations between pairs of actions that introduce 
too many ordering constraints and hence violate anti-symmetry of the partial orders. 


Definition 3.2.27 Let A be a finite alphabet, let p and g be pomsets with disjoint sets of 
events, and let D, and D, be downward-closed subsets of Events, and Events,, respectively, such 
that D, UD, #0. For any bijection f from {e € Events, : I,(e) € A} to {e’ € Events, : 1,(e’) € 
A} such that 


e f is label-preserving, t.e., l,(e) = 1,(f(e)) for all e € Events, with l,(e) € A, and 
e f is order-non-contradicting, i.e., 


— The transitive-closure of <,U{(e, e’) € Events, x Events, : f(e) <, f(e’)} is a partial 
ordering; in particular, it is anti-symmetric. 


— The transitive-closure of <,U{(f(e), f(e’)) € Events, x Events,: e <, e’} is a partial 
ordering; in particular, it is anti-symmetric. 


we define r = p||4q as: 


e Events, = {(e,*): e € Events, and I,(e) ¢ A} U {(+*,e): e’ € Events, and I,(e’) ¢ A} U 
{(e, f(e)): e € Events, and l,(e) € A}. 


e I.(e,*) =1,(e), U(*, e’) = I,(e’), and L.(e, f(e)) = 1, (e). 
e (ty) <, (2, y’) iff either x <, x or y <, 9’. 
We define (p, Dy) |l4(q, Dy) = (r,D,), where r = p||4q and 


D, = {down,(£): FE = {z € Events, : fst(z) € d} for some d € D,} 
U {down,(E'): E" = {z € Events, : snd(z) € d’} for some d’ € D,} 


We define 


pllaq “ {pllia: f is a label-preserving, ordering-non-contradicting bijection from 
{e € Events, : [,(e) € A} to {e’ € Events, : 1,(e’) € A}} 


and 


(p, Dy) ||a(¢, Da) act {(p, Dp) ||, (q, Dz): f is a label-preserving, ordering-non-contradicting 
bijection from {e € Events, : /,(e) € A} 
to {e’ € Events, : 1,(e') € A}} 
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It is easy to show that pomsets and pomset-divergences are closed under all the above 
operations; the details are left to the reader. 


We now define corresponding operations on sets of pomset-traces, pomset-failures, and 
pomset-divergences. We will use these definitions heavily in proving the compositionality of 
our semantics with respect to the WT Net operators. 


Definition 3.2.28 Let Act be a finite alphabet containing the distinguished symbol \/ and let 
PT be a set of pomset-traces over Act. Let a,az,ap,a4,a_ € Act —{,/}, let A be a subset of 
Act containing ,/, let f be a function from Act to Act such that for all a € Act, f(a) = / iff 
a = y/, and let Act’ be a finite set of labels containing \/. Then: 


(PT, Act) grow Act! = def ( 


PT, Act U Act’) 
(PT, Act) shrink Act’ © ({p € PT: all events in p have labels in Act’}, Act’) 
a.(PT, Act) Troy U{a.p: p € PT}, Act) 
(PT, Act\\a “ ({p € PT: p has no a-labeled event}, Act) 
(PT, Act)[f] = ({pLF]: p € PT}, Act) 


(PT, Act)—a def ({p— a: p © PT}, Act) 


(PT), Act); (PT», Act) © Y Up € PT, : p does not contain a ./-labeled event} 
U {(p1; p2): (pis V) © PT) and pe € PT>}, Act) 


(PT,, Act) ® (PT, Act) © (PT, U PT», Act) 

(PT;, Act) +yy (PT2, Act) @ (PT, U PTs, Act) 
(PT;, Act)||a(PT», Act) & (augment(|_}{pil|ap2 : p: € PT, p2 € PT2}), Act) 
(PT;, Act) || (PT2, Act) = (augment( (_){pillyyip2: pi € PTi,p2 € PT»}), Act) 
splita.ay,a_)(PT, Act)) S (augment( |_J{splitia.a4,a_)(P): P € PT}), Act) 


choice(a,az,an)((PT, Act)) ya ({Jfehoiceca, az,ap)(P): p € PT}, Act) 
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(PT,, Act) | (PT, Act) & 


((@((PT,, Act) grow Act’) || ceug yo! ((PT2, Act) grow Act'))— Act’) shrink Act 
where {a1,@7,...,@,, a} = Act -{/}, 
Act’ = fai,ai,..., ai, a’.} are distinct symbols not in Act, 


o is the sequence chotce(a,ay,a') - choice .  ChowCE (a, ax ,a',) - choice 


(am7,a1)° (eT a4)’ 


be ; ; ; , 
and o’ is the sequence choice’a. a, a) . chotceaz az, a") _ chorea, a,,a7) . chotceaz a, a',) 


Definition 3.2.29 Let Act be a finite alphabet containing the distinguished symbol ,/, let 
PF,PF,, PF, be sets of pomset-failures over Act, and let PD, PD,,PDz be sets of pomset- 
divergences over Act. Let a,az,dp,a,,a_ € Act —{,/}, let A be a subset of Act containing V/, 
let f be a function from Act to Act such that for all a € Act, f(a) = V/ iff a = V/, and let Act’ 
be a finite set of labels containing \/. 


Then: 
(PF, PD, Act) grow Act’ def (PF’, PD’, Act U Act’) 
where 
PF’ = {(p,FUX): XC Act — Act and (p, F) € PF} 
U implied-failures 4 4 Act(PD’) 
PD! = augment(extend 44 Act/(PD)) 


(PF, PD, Act) shrink Act! def ( 


PF', PD!, Act’) 
where 
PF’ = {(p,F)¢€ PF: allevents in p have labels in Act’ and F C Act’} 


PD! = {(p,D)€ PD: all events in p have labels in Act’} 


a.(PF,PD, Act) © (PF', PD’, Act) 


where 
PF’ = {(0,F): FC Act —{a}} U {(a.p, F): (p, F) © PF} 
PD!’ = {a.(p, D): (p, D) € PD} 


(PF,PD, Act)\a © (PF', PD’, Act) 


where 
PF’ = {(p,F):p has no a-labeled event and (p, F — {a}) € PF} 
U implied-failures 4 4(PD’) 
PD! = augment(ertend 4.4({(p, D) € PD: p has no a-labeled event })) 
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def 


(PF,PD,Act\[f| “ — (PF', PD’, Act) 
where 
PF' = {(pLf], fF): F C Act and (p, {bh © Act: f(b) = a for some a € F}) € PF} 
U implied-failuresy.,(PD’) 
PD! = augment(ertend 4 .i({(p, D)[f] : (p, D) € PD})) 
(PF, PD, Act)— a (PF", PD’, Act) 
where 
PF’ = {(p— a, F): (p, FU {a}) € PF} U implied-failures 4 .,(PD') 
PD! = augment( extend 4.4({(p, DU Dp)— a: (p, D) € PDU PF, 


(p, DU D,) is a pomset-divergence, 

and for all n > 0, there is some p, with (p,,D) € PDUPF 
such that 

(p, Dp) E (pn, {Events,,, }), all events in p, — p are a-labeled, 
and for every d € D,, 

there is some n-length chain of a-labeled events in p,, — p 
whose downward closure restricted to p is d})) 


choice(a.az.an\((PF, PD, Act)) © (PF', PD!, Act) 


where 
PF! = {(q, fy): there is some (p, Fy) € PF such that q € choiceca.az,az)(P), Fy © Fp U {a}, 
and if a; € F, or ar € F, then a € F,} 
U implied-failures 4 .4(PD’) 
PD! = augment( extend 4c¢( U{ choicera.az,az)((p, D)): (p, D) © PD})) 


(PF,, PD, Act) ® (PF2, PDs, Act) © (PF, U PF), PD, U PD», Act) 


(PF, PD, Act); (PF, PDs, Act) @ (PF’, PD’, Act) 


where 
PF = {(p, F): (p, FU {./}) © PF, and p does not contain a \/-labeled event } 
U {(pi; po, F): (pis 4,0) © PF and (po, F) € PF} U implied-failures 4..(PD’) 
PD! = PD, U {(p1; po, {dU Events,, : d € D): (pi; /,0) € PF, and (ps, D) € PD»2} 


(PF, PDy, Act)||4(P Fs, PD», Act) © (PF', PD’, Act) 


where 
PF' = augment({(p, F): there are some (pi, Fi) € PF, (po, F2) € Po such that p € pi|lape, 
F-ACEFNF», and FO AC Fy U Fo}) 
U implied-failuresy.,(PD’) 
PD! = augment(ertend 4-4(U{(p1, D1) ||4 (po, Da): (pr, Di) © PD, U PF), (po, D2) € PD U PF, 


D, and Dz are (possibly empty) downward-closed subsets of 
Events,, and Events,,, respectively, and D, U Dy # 0})) 
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(PF\, PDy, Act) || (PFs, PD», Act) © (PF\, PDi, Act) ||, (PFs, PD», Act) 
(PF, PD,, Act) | (PF, PDs, Act) 
((o((PF\, PD, Act) grow Act’) || serrug yo’ (PF, PDs, Act) grow Act’))— Act’) shrink Act 
where {a),@,...,@4, 0%} = Act -{/}, 
Act’ = {a),a),...,a/,, a4} are distinct symbols not in Act, 
o is the sequence chotce(a, ,ay,a/) . choice a aa) _ chorceca, ax,a',) . chotce ae ae ary) 


a : _ an : _ ee 
and a’ is the sequence chowce a a, at) choice az,a!) _ chotce a, ay ar) choiceaya,a',) 


Theorem 3.2.30 [-]“** is compositional for split refinements, choice refinements, alphabet 
expansion and shrinking, and all of our CCS/CSP operators. 


Proof. Let Act be a finite alphabet containing \/, let a,az,ap,a,,a_ € Act —{,/}, let 
AC Act, let f be a function from Act to Act such that for all a € Act, f(a) = / iffa = \/, and 
let Act’ be a finite set of labels containing \/. Furthermore, let (N, Act), (Ni, Act), (No, Act) be 
WT Nets. 

It is straightforward but tedious to show that the following identities hold, where the op- 
erations on the right-hand side of the equations are those defined in Definition 3.2.28. As an 
illustration, we will prove the equality for prefixing; the details of the other cases are left to the 
reader. 


[(N, Act) grow Act']“** = [(N, Act)]™*” grow Act’ 


[(N, Act) shrink Act']** = [(N, Act)]’*Y shrink Act’ 


[a.(N, Act)]™** = a.[ CN, Act)” 


[7-(N, Act)]%** = [CN, Act)” 


[(N, Act)\a]*” = CN, Act)]™**\a 


IN, Act){f] i (N, Act) “| 


[(N, Act)— a]™** = [(N, Act)’ — a 


[(N1, Act); (No, Act)]™*” = [(M1, Act)"; [(N2, Act)” 


[(N1, Act) ® (No, Act)J™** = [(N,, Act)]%*” @ [(No, Act)” 
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[(.N;, Act) +ar (No, Act) PY = [(Ny, Act)?” +ar [(N2, Act)” 
[(.N1, Act) || (No, Act)” = [(N,, ActyP™” || [(N2, Act) JM” 


[(.N1, Act)|] (No, Act)JM4Y = [(N;, Act) P” 


auty}L(N2, Act)" 


[(.N1, Act) | (No, Act)JM4Y = [ (Ny, Act)P | [(N, Act) 


[chotce(aazan)((N, Act) )JY** = choiceaa, az (L(V, Act)]” ) 


[splitea a, aN, Act)) a splittaa,.a_ (LN, Act)J™*") 


To prove the equality for prefixing, we first make without proof the easy observation that 
pomset-traces(a.(N, Act)) = fst(a.(pomset-traces((N, Act)), Act)). 


For one direction of the desired equality above, let g € Ja.(N, Act)]”*”; then, from the above 
fact, the definition of [-]M4”, and Definition 3.2.28, it is easy to see that either g = 9 or g = a.p 
for some pomset-trace p of (N, Act). It follows from general properties of pomsets that either 
q = or g=a.¢ for some q¢’ > p, from which it follows immediately that ¢ € a.[(N, Act)}*”. 
For the other direction, let r € a.[(N, Act)]“*’; then either r = 9 or r = a.p for some p that is 
an augmentation of some pomset-trace p’ of (N, Act). If r is non-empty, it follows from general 
properties of pomsets that r > a.p’. Using the definition of [-]“4’ and the highlighted fact 
above, it is then easy to see that r € [a.(N, Act)]“*”, proving this case. 

Proposition 2.2.19 and the above equalities for alphabet expansion and shrinking, CSP-style 
parallel composition, choice refinements, and hiding together immediately imply the composi- 
tionality of CCS-style parallel composition. : 

The following proposition will be helpful in our proof of compositionality for the [-]M"°7 
semantics: 


Proposition 3.2.31 Let Act be a set of labels, let (q,,.D,,) € augment(extend4-1((pi, Dp,))), 
let (q2, Dy,) € augment( extends .1((po, Dp,))), and let (¢, Dy) € (nH, Dy.) ||a(@, Dy). Then there 
are some prefixes (pi), Dp), (po, Dp) of (p1,Dp,), (D2, Dp.), respectively, such that (q,D,) € 
augment (extend ct((pi, Dp’ )|| 4 (Po, Dp). 


Proof. By definition, (¢,D,) = (a1, Da IVA (G2, Das) for some label-preserving, order- 
non-contradicting bijection f from {e € Events,, : l,,(e€) € A} to {e’ € Events,, : 1,,(e’) € A}. 
Let f’ be f restricted to Events,, x Events,,. Let p, be the prefix of p, with carrier {x € 
Events,,: for all y € Events,,, if y <p, « and ,,(y) € A then f(y) € Events,,}, and let D,, = 
{dé D,,: dC pi}. Similarly, let p, be the prefix of p. with carrier {z € Events,,: for all y € 
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Events,,, if y <,, 2 and I,,(y) € A then f~'(y) € Events,,}, and let Dp), = {d € Dp, : d C py}. 


It is straightforward but tedious to show that (¢, D,) € augment(extend4¢+( (pi, Dy: Mi (Po, Dps)))5 
the details are left to the reader. 7 


Theorem 3.2.32 [-]“’** and [-]**** are compositional for all the WT Net operators, except 


for split refinements and the CCS choice operator, +y,. 


Proof. Let Act bea finite alphabet containing \/, let a,az,ap,a4,a_ € Act, let A C Act, 
let f be a function from Act to Act such that for all a € Act, f(a) = J iff a = V/, and let Act’ 
be a finite set of labels containing \/. Furthermore, let (NV, Act), (Ni, Act), (No, Act) be WT 
Nets. 

It is straightforward but tedious to show that the following identities hold, where the oper- 
ations on the right-hand side of the equations are those defined in Definition 3.2.29. We prove 
the equalities for CSP-style parallel composition and hiding; the details of the remaining cases 
are left to the reader. 


, Act) grow Act ST — , Act ST grow Act 
N A A / US N A UST A / 
[(N, Act) shrink Act']M°8™ = [(N, Act)]M°" shrink Act’ 
[a.(N, Act)]“°°" = a.[(N, Act)JMOr" 
[7.(N, Act)]M°8" = [(N, Act) JM" 
[(N, Act)\a]“ °°" = UN, Act)!" "\a 


[(N, Act) [fJIM* = [(N, Act) eT] 


[(N, Act)— aJ@™8T = [(N, Act)}!"°?— a 
[(N1, Act); (No, Act)JM" = [(Ni, Act)PY"; [(N2, Act)" 
[(N1, Act) @ (No, Act)JMO8* = [(N4, Act) °°" @ [(No, Act)]/M08* 
[(N1, Act) |] (No, Act)PMOPT = [(N1, Act)Ph™ |] [(N2, Act)" 


[(N1, Act)||a(No, Act)JM9°" = [(N1, Act) PY" |Laup y[(Ne, Act) er* 


[(Ni, Act) | (No, Act)JMOR" = [(N1, Act) MP7 | [N2, Act) Me" 


[ehoice(aar,any((N, Act) PWS = choice(aar,an) UI, Act) 5") 
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To prove the equality for CSP-style parallel composition, we first state without proof the 
easily proved fact that: 


pomset-failures({N,, Act)||a( No, Act)) = 
{(p, F): there are some (pi, F'\) € pomset-failures((N1, Act)), (pe, Fo) € pomset-failures((No, Act)) 
such that P E Pillauty}P2, F _ (AU {/}) e Fy a Ps and F a (AU {/}) e Fy U F>} 


pomset-divergences({N, Act)||4( No, Act)) = 
Ut{(p1, D1) \laug yy (p2, D2) : (pi, Di) © pomset-divergences((Ni, Act)) U pomset-failures((N, Act)), 
(p2, D2) € pomset-divergences((No, Act)) U pomset-fatlures((No, Act)), 
D, and Dz are (possibly empty) downward-closed subsets of 
Events,, and Events,,, respectively, and D, U Do # 0})) 


For one direction of the desired equality, let (r, D,) € snd([(Ni, Act)||4(No, Act)JY"*"); then 
(r, D,) € augment(extend4.¢((p, D,))) for some pomset-divergence (p, D,) of (Ni, Act)||4(No, Act). 
It then follows easily from the highlighted fact above, the definition of [-]“"°", and Defini- 
tion 3.2.29 that (r,D,) € [(Ni, Act) JM "*" |laug 41(N2, Act)]“"°*. The proof for pomset-failures 
is very similar and omitted. For the other direction, let 


(r, D,) € snd([(N1, Act)" |Laugy [(N2, Act) °°"); 


then (r, D,) € augment(extenda.:((¢q, D,))) for some pomset-divergence (q, D,) such that (¢, D,) 
€ (m1, Dy.) |laugy (G2, Dy.) for some (q1, Dy.) © [(Ni, Act) JMO" and (qe, Dy.) € [(N2, Act)]M°°*. 
In turn, (q;,D,,) € augment(extend4-1((p;, Dp,))) for some (p;,D,,) and (po, Dy) that are 
pomset-divergences/pomset-failures of N, and N» respectively. Now, Proposition 3.2.31 implies 
that there are prefixes (p|, Dp:), (po, Dp) of (p1, Dp,), (Po, Dp.) respectively such that (q, D,) € 
augment (extend c:((p, Dp || auty} (Po, Dp). By Proposition 3.2.14, (pi, Dp), (Po, Dp;) are 
pomset-divergences/pomset-failures of Ni, .N»2, hence the highlighted fact above together with 
the definition of [-]“"°" implies that (¢g,D,) € snd([(Ni, Act)||a(No, Act)JM"°*. It now follows 
from Proposition 3.2.18 that (r, D,) € snd([(N1, Act)||4(N2, Act)]M°°*. The proof for pomset- 
failures in fst([(.Ni, Act)]Y °°" ||aug4[(N2, Act)]Y"*") then follows easily from the highlighted 
fact above; we omit the details. 


We now prove the equality for hiding. Since the definition of failure sets “looks through” 
firings of 7-transitions and failure sets are closed under subsets, it is straightforward to show 
that 


pomset-failures({N, Act)— a) = {(p— a, F): (p, F U {a}) © pomset-failures((N, Act))} 


We recall that by definition of WT Nets, only a finite number of transitions are enabled 
under any reachable marking. Thus, it is possible for unbounded-length sequences of a-labeled 
events to be enabled after any prefix d of a pomset p only if either a divergence is enabled 
immediately after d or a divergence is enabled “along the way to d,” i.e., immediately after 
some pomset d’ with (d’, {Events }) C (d, {Events,}). In either case, it then follows easily from 
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the definition of pomset-divergences that: 


extend 4-4(pomset-divergences({N, Act)— a))) 
extend 4.4({{p, DU Dp) — a: (p, D) € pomset-divergences((N, Act)) U pomset-failures((N, Act)), 
DUD, #9, (p, DU Dp) is a pomset-divergence, 
and for all n > 0, there is some p, with 
(pn, D) € pomset-divergences((N, Act))) U pomset-failures((N, Act))) 
such that 
(p, Dp) E (pn, {Events,,, }), all events in p, — p are a-labeled, 
and for every d € D,, 
there is some n-length chain of a-labeled events in p, — p 
whose downward closure restricted to p is d}) 


To prove one direction of the desired equality, let (r, D,) € snd([(N, act)—a]“"°"); then 
(r,D,) € augment(extend,4-+({p,D,))) for some pomset-divergence (p,D,) of (N, Act) — a. 
It then follows easily from the highlighted fact above, the definition of [-]“"°7, and Defini- 
tion 3.2.29 that (r,D,) € snd([(N,act)]“°°* — a). The proof for pomset-failures (r, fF.) € 
fst([(N, act) — a]“°°7) is very similar and is omitted. 

For the other direction, let (PF, PD, Act) = [(N, Act)]”°°7 and let (r, D,) 
€ snd([(N, Act)]“°°" — a). Then by Definition 3.2.29, (r,D,) € augment(extend4.4((p, D U 
D,) — a)) for some pomset-divergence (p, DU D,) and some sequence ((p,,D):n > 0) such 


that 
(p,D) € PDU PF, 


and for all n > 0, there is some p, with (p,,D) € PDU PF 

such that (p, D,) C (pn, {Events,, }), all events in p, — p are a-labeled, 
and for every d € Dy, 

there is some n-length chain of a-labeled events in p,, — p 

whose downward closure restricted to p is d 


For one case, suppose that (p, D) and all of the (p,, D) are in pomset-divergences((N, Act))U 
pomset-failures((N, Act)). Then it follows by the highlighted equality above that 


(p, DU D,)— a € extend 4-¢(pomset-divergences((N, Act)—a)), 


and thus that (r, D,) € snd([(N, act) — a]’°**). 

For another case, suppose that all of the (p,, D) € augment (pomset-divergences((N, Act)))U 
augment (pomset-failures({N, Act))). Then there is some sequence ((qn,D,): nm > 0) such that 
each (pp,D) = (dn, Dn) € pomset-divergences((N, Act)) U pomset-failures((N, Act)). Since 
Events, is finite, there must be some subsequence ((q,,,Dn,): k > 0) and some set such that 
for all 7 > 0, all the D,, are identical to some common D’ and the ordering of all the g,, 
restricted to Events, is identical. Let g be the pomset with this common ordering and with 
the same events and labels as p; it is easy to see that (q, D’) < (p, D). Furthermore, assuming 
without loss of generality that no > |p|, it is easy to see that there is some set D, of downward- 
closed sets of Events, such that D, C {down,(d): d € D,}, and (¢, D’), D,, and the sequence 
((dnx>Dn,)i k > 0) are in the set on the right-hand side of the highlighted equality. By the 
first case, (q, D'U D,)— a € extend4,4(pomset-divergences((N, Act)—a)). It is easy to see that 
(q¢,D'UD,)-—aC (p, DU D,)— a; thus by Proposition 3.2.18, (p, DU D,)— a and (r, D,) are 
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in snd([(N, act)—a]“°°*). 

For the last case, suppose that some (p;,D) ¢ augment( pomset-divergences((N, Act))) U 
augment (pomset-failures((N, Act))). If for all such 7, there is some j > 7 with 
(p;,D) € augment(pomset-divergences((N, Act))) U augment(pomset-failures((N, Act))), then 
substituting p; for p; yields a sequence that satisfies the earlier case. Otherwise, there must be 
some (p;,D) ¢ augment(pomset-divergences({N, Act))) U augment(pomset-failures({N, Act))) 
such that for all 7 > 2, 


(pj, D) € augment (pomset-divergences((N, Act))) U augment( pomset-failures((N, Act))). 


It is clear that there must be some sequence ((q,,Dn):n > 0) such that each (qr,Dp) € 
inc (pomset-divergences((N, Act))) and (p,,.D) € augment(extend4ci((dn,Dn))). Let p-related(D,,) 
be the set of d’M Events, such that d' € D,,. It is easy to see that the number of distinct sets 
p-related(D,,) is finite; hence there must be some subsequence ((gn,,Dn,): k > 0) such that 
all the p-related(D,,) sets are equal. By Proposition 3.2.14, pomset-divergences((N, Act)) is a 
prefix-closed set, and so we can assume without loss of generality that for all n, > 0, there is no 
event z € qm, such that down,, (x) 2 d' for some d’ € D,,. Using a straightforward finiteness 
argument on the length of chains that are unbounded in the p,, but bounded in the q,,, it is easy 
to show that there is some some subsequence ((q,,,D},,): 1 > 0) of ((da,,Dn,): & = 0), some set 
D, of prefixes of qf, and some D’ in the set on the right-hand side of the equality such that all 
the Di, = D’. Furthermore, it is easy to show that (p, DUD,)—a € augment(extend4.:((q,,, D’U 
D,)—a)). By the first case, (q},,, Dp, U Dy) — a € augment (pomset-divergences((N, Act)— a)). 
Hence, by Proposition 3.2.18, (p, DU D,)— a € snd([(N, act) — a]M"°") and hence so is (r, D,). 
The proof that fs¢([(N,act)—a]“"°") D fst([ NV, act)]Y"°" — a) is similar and is left to the 
reader. 


3 
3 


Proposition 2.2.19 and the equalities for alphabet expansion and shrinking, CSP-style paral- 
lel composition, choice refinements, and hiding together immediately imply the compositionality 
of CCS-style parallel composition. : 
It is easy to show that for sequential nets, |-]“°°"-equivalence and [-]"***-equivalence respec- 
tively coincide with MUST-equivalence and Testing-equivalence. Thus, as a simple consequence 
of Proposition 3.1.6, the [-J“°°* and [-]**°* semantics are compositional for split refinements 
on sequential nets. 

However, in general: 


Proposition 3.2.33 [-]“"°" and [-]**°* are not compositional for split refinements or the CCS 
choice operator, +). 


Proof. For the proof for split refinements, let (N,, Act) and (Nz, Act) be the nets 
illustrated in Figure 3-4, and let Act = {a,a,,a_,b}; this example is due to Frits Vaan- 
drager [38]. It is straightforward to show that [(Ni, Act)]“"°? = [(No2, Act)]“"S? and that 
[(Ni, Act)JP°°" = [(Ne, Act)]™P**. 


However, 


(a4, {5}) € srd([splitea a4 a_)((Ni, Act) PP") — snd([ splits a4 a_\((N2, Act) Pr"). 
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Ro. 
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splitiaa,a_\((M1, Act)) 


a4 
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spliliaa,,a_\((N2, Act)) 


Figure 3-4: Standard Example for Split Refinements 


b+ig (N,, Act) 


b + (No, Act) 


Figure 3-5: Standard Example for CCS choice 
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dupl-split((.N, Act)) 
Figure 3-6: An Example of Duplicate-Splitting 


We note that neither (N,, Act) nor (No, Act) is a sequential net, since both of them can fire an 
a-labeled transition concurrently with a b-labeled transition. 

For the proof of +, let (Ny, Act) and (No, Act) be the nets illustrated in Figure 3-5, and 
let Act = {a,b}. It is straightforward to show that [(.N,, Act)}“°°" = [(Ne, Act)]Y°°* and that 
[(Ni, Act)]P°? = [(No, Act)]™S*. However, 


(0, {b}) € snd([(N», Act) +a, b]"°") — snd([(N1, Act) + O]"*"). 


The difficulty with split refinements is that they make visible the failure sets of the net after 
transitions have “half-fired”, while the [-]“"°7 semantics does not keep track of this information. 
To correct this difficulty in our semantics, we first “duplicate-split” our nets; in particular, we 
“duplicate” every visible transition, then simultaneously “split” every duplicate transition into 
two consecutive transitions labeled a, and a2, where a is the label of the original transition. 
Furthermore, we relabel with ao every visible transition of the original net, where a is the 
label of the original transition. We leave all r-labeled and ,/-labeled transitions untouched. 
Figure 3-6 gives an example. 

More formally: 


Definition 3.2.34 Let (N, Act) bea WT Net. Then (P, Act’) = dupl-split((N, Act)) is defined 
as: 


Act’ = {a;: a € Act -{V/} and 0 <i < 2}uU{j 


Sp = Sn WU {(*,t): t € Ty and ly(t) ¢ {/,7}} 
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Tp = Ty WwW {(, 1), (t, 2) :tE Ty and y(t) g {/,7}} 


prep(t) = prey(t) 
prep((t,1)) = prey(t) 


) 
prep((t,2)) = {0 ty 


postp 
postp((t 9 
postp((t, 2 


Ros 
ob 
Nae 
lI 
3 
9S 
a 
2 
oo 
ob 
Nae 


Ip(t) = | be(D if I(t) ¢ {v7} 


t) otherwise 


Startp = Startn 


We note that: 
Proposition 3.2.35 WT Nets are closed under dupl-split. 


The proof is simple and is left to the reader. 

The difficulty with the +), operator is that the [-]M"°7 semantics does not keep track of 
initial firings of 7-transitions; to correct this difficulty, we simply +4, the dupl-split nets with 
a fresh, distinguished action y, and take the [-]“"°" semantics of the resulting net: 


Definition 3.2.36 Let (N, Act) be a WT Net and assume without loss of generality that 
y ¢ Act. Then: 


[(N, Act)Pae? S [y tar (dupl-split((N, Act)) grow {y})/M°S™ 
[(N, Acty]tnst (EU, Act) MY, (CN, Act) 097) 


Theorem 3.2.37 [-]Ni°, and [-]2i;5, on WT Nets are respectively adequate for MAy-equivalence, 


MuUST-equivalence, and Testing-equivalence. 


Proof. From the definition of dupl-split and y+ 7 and Proposition 3.2.18, it is straight- 
forward to show that 


F((N, Act)) = {(v, F): (v, F) is a linearly-ordered pomset-failure over Act 
and (v[f],{F(a):a € F}) € fot([(N, Act))8555). 


where f(a) = do for all a € Act —{,/} and f(./) = /} 


D((N, Act)) = {v: v is a linearly-ordered pomset over Act 
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and (v[f], {Events, }) € snd([(N, Act) MUST) 


split-y 


where f(a) = do for all a € Act —{,/} and f(./) = /} 


Act = {a: do € third([(N, Act) Jeie )} ULV} 


split-y 


from which the adequacy of [-]My2? follows easily. The adequacy of [-]7i;3 is an immediate 
consequence of this fact and Theorem 3.2.12. : 


The a,-labeled transitions in dupl-split((N, Act)) yield essential information about the fail- 
ures of the net (N, Act) after some transitions are “half-split.” On the other hand, the ay-labeled 
transitions yield no new information. In fact, as we will show below, the pomset-failures and 
pomset-divergences of dupl-split((N, Act)) that contain any a2-labeled events can be fully re- 
covered from those contain no @g-labeled events by “splitting” some ay-labeled events. 

We first observe that: 


Proposition 3.2.38 Let (N, Act) bea WT Net, and let p be a pomset-trace of dupl-split((N, Act)). 
Then: 


e For any a € Act, if p does not contain any do-labeled events, then every a,-labeled event 
is a maximal event in p. 


e Let (p, fF’) be a pomset-failure of dupl-split((N, Act)). For any a € Act, if p does not 
contain any d2-labeled events and does contain some a,-labeled event, then a, ¢ F’. 


e Let (p, D) be a pomset-divergence of dupl-split((N, Act)). For any a € Act, if p does not 
contain any ao-labeled events, then no d € D contains any a,-labeled events. 


The proposition is a simple consequence of the definitions of pomset-traces, pomset-divergences, 
and dupl-split; the details are left to the reader. 


Definition 3.2.39 Let Act’ be a finite alphabet such that for some finite alphabet Act, Act’ = 
{y,V/} U {a;: a € Act and 0 <i < 2}. Let PF be a set of pomset-failures over Act’, and let 
PD be aset of pomset-divergences over Act’. Then: 


1-2-respect( PF’) act {(p, F) € PF’: for every label a € Act, 

p has no a_-labeled events 

and all a,-labeled events in p are maximal in p} 
1-2-respect( PD) act {(p, D) € PD: for every label a € Act, 


p has no a»-labeled events, 
all a,-labeled events in p are maximal in p, 
and no d € D contains any a,-labeled events} 


Definition 3.2.40 Let Act’ be a finite alphabet such that for some finite alphabet Act, Act’ = 
{y,/}U{a;: a € Act and 0 <i < 2}. Let p bea pomset over Act’, let (p, F’) be a pomset-failure 
over Act’, let (p, D) be a pomset-divergence, and let X C {x € Events, : |,(a) = ao for some a € 
Act}. Then 0-split,(p) is defined to be the pomset qg with all events in X split, ie.: 


60 CHAPTER 3. SEMANTICS OF WELL-TERMINATING NETS 


e Events, = ({(y,0): y € Events, — X)U{(y,1),(y,2): y € X}. 
° inin={ WW) ifi=0 


p(y), otherwise 


© (y,%) <q (y’, J) iff either y <, y’ or (y =», y’ andi < J). 


Furthermore, 0-split((p, D)) “et (0-splity (p), {@-splity(d):d € D}). We then define: 


0-split(p) “et {0-splity(p): X C {a € Events, : 1,(a) = ao for some a € Act}} 
. def . 
O-split((p, P)) = {(q, F): ¢ € O-split(p)} 


0-split((p, D)) “et {0-splity((p, D)): X C {x © Events, : [,(@) = dp for some a € Act}} 
We lift 0-split to sets of individuals by point-wise union. 


We remark that pomsets, pomset-failures, and pomset-divergences are preserved under 
0-split; the details are left to the reader. 


As promised, the pomset-failures and pomset-divergences of duplicate-split nets can be 
recovered from 1-2-respecting pomsets by 0-split ting. 


Proposition 3.2.41 Let (N, Act) be a WT Net. Then: 


pomset-failures( dupl-split((N, Act))) = 
0-split( 1-2-respect( pomset-failures( dupl-split((.N, Act))))) 


pomset-divergences dupl-split((N, Act))) = 
0-split( 1-2-respect( pomset-divergences{ dupl-split((N, Act))))) 

The proof is a straightforward consequence of the definitions of pomset-failures, pomset- 
divergences, and duplicate-splitting; the details are left to the reader. 

The presence of a,-labeled events does complicate split and choice refinements since corre- 
sponding a, and a, events in a pomset-trace might not “match up” correctly during refinement; 
so, we restrict attention to pomsets without a»-labeled events. Similar to Proposition 3.2.41, 
we will be able to fully recover the refined az-labeled events from the refined aj-labeled events. 
Definition 3.2.42 Let Act’ be a finite alphabet such that for some finite alphabet Act, Act’ = 
{y, J} U{a;:a€ Act and 0 <i< 2}. Let p be a pomset such that no event in p is labeled by 


for any 6 € Act, let (p, F) be a pomset-failure over Act’, let (p, D) be a pomset-divergence over 
Act’, and let a,az,ag be labels in Act. Then 


0-1-chotce(a,ar,an)((P; F)) “ {(4, Fy) :q € chotc€(ay,arg,ano)( CROCE (ay,a14,an1)(P)) 
F, CF, U {ao, a1, a2} 
and if apg € Fy or Gro € Fy then ag € F, 
ifaz, € Fy or ag, € Fy, then a, € Fy 
if ang € F, then there is no az ;-labeled event in ¢ 


if ary € F, then there is no ap -labeled event in ¢})) 
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Furthermore, 


0-1-choice(a,a,,n)((PsD)) = ChOiCE 46,215 0n9)( HOWE as 01 ,an4)((PsP))) 


In defining split refinements, we want to “fully split” each ao-labeled event into the sequence 
&49-d_9. Furthermore, we want a,-labeled events to simulate half-firings of splits, and hence we 
have three choices for each a,-labeled event: relabel the event with a,,, relabel the event with 
d4o, or split the event into a4 9.a_1. (The other two possibilities, a4,.a49 and a41.@49.a_1, can 
be obtained from 0-splitting.) These choices are reflected below: 


Definition 3.2.43 Let Act’ be a finite alphabet such that for some finite alphabet Act, Act’ = 
{y,/} U{a;:a€ Act and 0 <i< 2}. Let p be a pomset such that no event in p is labeled by 
for any 6 € Act, let (p, F) be a pomset-failure over Act’, let (p, D) be a pomset-divergence over 
Act’, and let a,a,,a_ be labels in Act. Furthermore, let Xo, X 1, X2 be a partition of the set of 
a,-labeled events of p. Then 0-1-split,, ,, ,_) is defined to be the pomset q such that 


e Events, = {(y,0): y € Events, and U,(y) ¢ {ao, ai}} 


U{(y, 1): y € Events, and I,(y) € {ao, ai }} 
U{(y,2): y € Events, and either l,(y) = ao or y € Xo}. 


L(y) ift=0 

.o ifit=landy ¢ Xo 
1 ift=landy€ Xp 
ife=2 andy ¢ Xe 
if? =2 and y € Xe 


eU((y,t)=4 4 


© (y,%) <q (y’, J) iff either y <, y’ or (y =», y’ andi < J). 
We then define: 


0-1-splitea a4,a_)(P) def {0-1-spltteg a4 .a_,Xo,X1,X2)(P): Xo, X1, X2 partition {x € Events, : lp(x) = aif} 


. def . 
0-1-splite a, a_)((P, DY) = {(p', D'): p= 0-1-splitea a4 ,a_,Xo,X1,X2)(P) and 
p= {0-1-splitea a4 .a_,Xo,X1,X2)(4): de D} 
for some Xo,.X1, X2 that partition {x € Events, : [,(x) = a,}} 


. def . 
0-1-splitea a4 ,a_)((P, F)) = {(p", F") : p = 0-1-splitea a4 a_,Xo,X1,X2)(P) 


for some Xo,X1, X2 that partition {x € Events, : [,(«) = ay}, 
F'C FU {ao, a1, a9}, 
and if ayo € F’ or a4, € F’ then ap € F and a, € F 

if Xp #0 then ayo ¢ F" 

if X, 4 0 then F’N {a_o,a_1} =9 

if X2 #0 then a_2 ¢ F’} 


The following definition will be helpful in proving the compositionality of the [-]Mye> and 


split-y 
TEST ; . 
[Joie Semantics for +y7: 
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Definition 3.2.44 Let PF be a set of pomset-failures over a finite alphabet Act. Then 


init(PF) © {a € Act: (a,0) € PF}. 


MUST In 
split-y* 
this definition, the presence of y in failure sets is used to indicate that some initial 7-transitions 


The following definition will be used heavily in our proof of compositionality for [-] 


have been fired. 


Definition 3.2.45 Let Act be a finite alphabet containing the distinguished symbol ,/, let 
Act’ = {a;: a € Act —{\/} and 0 <i < 2}U{y, JY}, let PF, PF,, PF» be sets of pomset-failures 
over Act’, and let PD, PD,, PD» be sets of pomset-divergences over Act’. Let a,az,a@R,44,a_ € 


Act —{,/}, let A be a subset of Act containing \/, let f be a function from Act to Act such 
def 


that for all a € Act, f(a) = VJ iffa = V. Let (PF,, PD,, Act’) = [(7, Act’) !"*", and for 
all a € Act —{,/}, let (PF. y,PDay, Act’) def [(Nay, Act’) sity, Where Nyy is a net that 


can perform exactly an a-transition causally followed by a ,/-transition, after which the net 
deadlocks. 

The following definitions use the operators defined in Definition 3.2.29. The || operator 
remains the same as in Definition 3.2.29. 


(PF, PD, Act’) grow A def (PF, PD, Act’) grow A 


(PF, PD, Act’) shrink A (PF, PD, Act’) shrink A 


a pref (PF, PD, Act’) © (PFy, PDy, Act!) +41 ((PFa.y; PDa.y, Act’); ((PF, PD, Act’)\y)) 


r pref (PF, PD, Act’) (PF,, PD,, Act’) + ((PF, PD, Act’)\y) 


(PF, PD, Act’) vst a ©! (((PF, PD, Act’)\ao)\a1)\a2 


(PF, PD, Act’) rename with f def (PF, PD, Act’) [f'], 
where f’(a;) = (f(a)); for alla € Act and 0 <i < 2, 
and f’ is the identity on {y, \/} 


(PF, PD, Act’) hide a“ (((PF, PD, Act’) — ap)— a1) — a2 


(PF, PDy, Act’) seq (PF, PDs, Act’) “' (PF,, PDy, Act’); ((PF, PD, Act’)\y) 


(PF, PD, Act’) internal choice (PF2, P D2, Act’) det pref (PF,, PD,, Act') + 7 pref (PF, PD, Act’) 
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(PF\, PD,, Act) + (PF2, PD», Act)! (PF', PD’, Act) 


where 
U{(p, F) € PF, UPFs: either p# 0 or FN (init(PF,) U init(PF2)) = 0} 
PD! = PD,UPD», 
(PF, PD,, Act’) CSP-parallel, (PF2, PD», Act’ “ (PF', PD’, Act’)) 
where 
(PF, PD, Act’) = 1-2-respect((PF,, PD, Act’))|\|4: 1-2-respect((PF2, PDs, Act’)) 
A’ = {a;:aE A—{o/} and 0 <i <2}U {y, VY} 
and 
PF’ = augment (0-split(PF)) U implied-failures 4 4:(PD‘) 
PD! = augment (extend 4 ,+(0-split(PD))) 
choice;aa,,a,)((PF, PD, Act’) & (PF', PD, Act’) 
where 
(PF", PD", Act’) = 0-1-chotce(a,az,ap)(1-2-respect((PF, PD, Act’))) 
and 
PF’ = augment (0-split(PF")) U implied-failures 4 .4:(PD') 
PD! = augment( extend 4 .41( 0-split(PD”))) 
splity, a, ¢_)((PF, PD, Act’)) & (PF’, PD’, Act’) 
where 
(PF", PD", Act'\ = 0-1-splitg a, ap)(1-2-respect ((PF, PD, Act'))) 
and 
PF’ = augment (0-split(PF")) U implied-failures 4 .4:(PD') 
PD’ = augment( extend 4 .41( 0-split( PD"))) 


(PF, PD, Act’) CCS-parallel PF:, PD», Act’ 


(((PF{, PD}, Act’) CSP-parallel,.,, (PF3, PDs, Act’\) hide A) shrink Act’ 
where 

(PF{, PD}, Act") = o((PF,, PD1, Act’) grow A) 

(PF3, PD, Act”) = o'((P Fo, PDs, Act’) grow A) 

and {a1,%,...,@%,a@} = Act’ —{y, v/}, 

A= fai, a4, . .,a',, ai} are distinct symbols not in Act’, 


o is the sequence choice(a, a, ,a/) - choice a Choices a, ax,a/) - choice 


(Teste ah)’ 
(ax,an,a4) | choice a a,a1,) 


(a7,a7, a1) 


and o’ is the sequence choice )" choice z,a!) ... choice 


i 
(41,41,44 


We now show: 


Theorem 3.2.46 [-]ii2) and [-Jii) are compositional for split refinements, choice refine- 


ments, alphabet expansion and shrinking, and all of our CCS/CSP operators. 
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Proof. Let Act be a finite alphabet containing \/, let a,az,ap,a,,a_ € Act, let A C Act, 
let f be a function from Act to Act such that for all a € Act, f(a) = / iff a = V/, and let Act’ 
be a finite set of labels containing \/. Furthermore, let (NV, Act), (Ni, Act), (No, Act) be WT 
Nets. 


The following identities hold, where the operations on the right-hand side of the equations 
are those defined in Definition 3.2.45: 


[(N, Act) grow Act'Jaie, = [(N, Act)aie, grow Act 


[(N, Act) shrink Act]MAS) = [CN, Act) [Maes shrink Act’ 


split-y 


[a.(N, Act)]Mie) = a pref [(N, Act)]Mie3 


split-y 


[7.(N, Act) ]MReo = 7 pref (CN, Act) ee 


split- 


[(N, Act)\q) oie, = WN, Act) Iie, rst a 


[(N, Act)[floiey = (N, Act))tiey rename with f 


[(N, Act) — a)Mye) = [CN, Act) Mies hide a 


split-y 


[(Ni, Act); (No, Act)JMUST = [(Ny, Act)JMUS® seq [(No, Act)]MUS? 


split-y split- 


[(Ni, Act) tar (No, Act) JM Ne) = [ON1, Act) ney +m [(No, Act) ene 


sp split- 


[(Ni, Act) B (No, Act) JMES" = [CN, Act) 


UST + : MUST 
split. Laternal choice [( No, Act) splitey 


[(N1, Act) |] (No, Act) Mpiey = [N1, Act) pie y I (V2, Act) pies 


split- split-y 


[(Ni, Act)||4 (No, Act) ye” = [ON1, Act) a ity CSP-parallel yy, [(No, Act) Mie 


split-y 


5 
split-y 


[(Ni, Act) | (No, Act) MRE) = DUN, Act) CCS-parallel (No, Act) 


[chotceaarany((N, Act) Jeon = Choice(aa,an)(L(N, Act)Nnicy) 


y split-y 


[splita.a,.a_)(N, Act)) split. = splitia a, a_(I(N, Act) split ) 


The proof for CSP-style parallel composition is essentially the same as that in Theo- 
rem 3.2.32, except it uses the following easily proved fact: 
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pomset-failures(y + (dupl-split(( Ni, Act)||a(Ne, Act)) grow {y})) = 
0-split({(p, F): (pi, F1) © 1-2-respect(pomset-failures(y +x (dupl-split({N1, Act)) grow {y}))), 
(po, F2) © 1-2-respect( pomset-failures(y +r (dupl-split({ No, Act)) grow {y}))), 
and p€ pillaps, F-A' CF AN Fy and FNA CRHUF, 
where A’ = {a;:a€ Aand0 <i < 2}U{V/}) 


pomset-divergences(y + (dupl-split((N1, Act)||a(N2, Act)) grow {y})) = 
0-split({(p1, D1) ||a1(p2, D2) : 

(pi, Di) € 1-2-respect(pomset-divergences(y + (dupl-split((N1, Act)) grow {y}))) 
U 1-2-respect(pomset-failures(y + (dupl-split((N,, Act)) grow {y}))), 

(pz, D2) © 1-2-respect(pomset-divergences(y + (dupl-split((No, Act)) grow {y}))) 
U 1-2-respect(pomset-failures(y + (dupl-split((No, Act)) grow {y}))), 

D, and Dz are (possibly empty) downward-closed subsets of 

Events,, and Events,,, respectively, and D, U Dz £ 9, 

and A’= {a;:@€ A andd <i < 2}U{/) 


The proofs for choice refinement and split refinement follow straightforwardly from Propo- 
sition 3.2.18 and the easily proved facts that: 


pomset-failures(y + (dupl-split(chotce(aja,.az)((N, Act))))) = 
0-split( 0-1-chotce(a,az,an)( 1-2-respect(pomset-failures(y +4 (dupl-split((N, Act)) grow {y}))))) 


pomset-divergences(y + (dupl-split( choice(a.a,,az)((N, Act))))) = 
0-split( 0-1-chotce(a,az,an)( 1-2-respect( pomset-divergences(y + (dupl-split((N, Act)) grow {y}))))) 
pomset-failures(y +m (dupl-split(splitya a, a_)(CN, Act))))) = 


0-split( 0-1-splityg a, q_)(1-2-respect (pomset-failures(y +m (dupl-split((N, Act)) grow {y}))))) 


pomset-divergences(y + (dupl-split( choice(a.a,,a_)((N, Act))))) = 
0-split( 0-1-splityg a, a_)(1-2-respect (pomset-divergences(y + (dupl-split((N, Act)) grow {7}))))) 


The proof for hiding is analogous to that in Theorem 3.2.32. The proofs of the remaining 
equalities are left to the reader. We remark that Proposition 2.2.18 and the equalities for 
prefixing and CCS choice together imply the compositionality of internal choice. Furthermore, 
Proposition 2.2.19 and the equalities for alphabet expansion and shrinking, CSP-style parallel 
composition, choice refinements, and hiding together imply the compositionality of CCS-style 
parallel composition. 

The compositionality of [-Jiy; then follows easily from the above proofs together with 
Theorem 3.2.30. 7 


In fact, [-JNye> and [-]2iv%, make just the right distinctions with respect to [-J“°°", [-]7°* 


and our WT Net operators: 


b) 


Theorem 3.2.47 [-JNi2; and [-Jiii are fully abstract for split refinements, choice refine- 


ments, and all of our CCS/CSP operators with respect to [-]“7°" and [-]7"°*, respectively. 
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Proof. From the definition of dupl-split and 7, it is easy to see that 


fst([N, Act)}"""") = {(p, F): (p, F) is a pomset-failure over Act 
and (p[f], {f(a): a € F}) € fst(I(N, Act) Tiny), 
where f(a) = do for all a € Act —{/} and f(/) = V} 


snd([(N, Act)]“"*") = {(p, D): p is a pomset-divergence over Act 
and (p[f],.D) € snd([(N, Act) Jains), 


split-y 


where f(a) = do for all a € Act —{,/} and f(/) = J} 


Act = {a: do € third([(N, Act) Mie )} UL} 


split-y 


from which adequacy follows easily. 
Theorem 3.2.46 has shown that [-JMVe> and [-]?2°" are compositional for all the WT Net 


split-y split-y 
operators. To prove full abstraction, we observe that y +3, (dupl-split(-) grow {y}) can be 
programmed by CCS choice and a finite sequence of choice and split refinements, together with 
some alphabet-expansion and shrinking. In particular, assuming that {a}: a' € Act and 0 < 


i<2}n Act =9, 
¥ +a (dupl-split((N, Act)) grow {y}) = y +m ((o((N, Act) grow Act')) shrink Act’) 


where a is the sequence spliteg: 1 qi) +++ Splitygr gt ak) * ChOWCE (ai ata) «+» CROCE (ax ar ak); 


Act —{\/} = {a',...,a*}, Act! = {a}: a! € Act and0 <i < 2}U{ V7}, and equality refers 
to net isomorphism. If aj € Act for some at € Act and some 0 < i < 2, the equality above 
can be suitably modified to use different “fresh” variables and renaming. The theorem is then 
a simple consequence of this equality and the definition of [-]Micy and [-]2e7,- = 


: : : MAY MUST TEST 
However, as we will prove in the next section, [-]”*", [-Jiie;, and [Jin are not fully 


abstract for our WT Net operators with respect to MAY-equivalence, MUST-equivalence, and 
Testing-equivalence, respectively. The complication is that these semantics make strictly more 
distinctions than our net contexts. 


We remark here that keeping track of concurrent divergences is necessary for composition- 
ality with respect to parallel composition. In particular, suppose we modify the definition of 
pomset-divergences, (p,D), so that D must be a singleton set. Then the redefined [-]Mye" 


split-y 
semantics based on this modified version of pomset-divergences will not be compositional for 


parallel composition, which was the difficulty faced by Vogler [47, 49]. Our [-]Mve7 semantics 


split- 
avoids this difficulty by keeping track of concurrent divergences, and resolves an ‘open prob- 
lem posed in [49]. The difficulty with keeping track of only single divergences is illustrated in 
Figure 3-7. It is easy to see that (N,, Act) and (N., Act) have the same meanings under the 
redefined [-JMy., semantics and that (N3, Act) and (N4, Act) have the same meanings under 
the redefined [-J¥ie, semantics, where Act = {a,b,c,d}. However, (p, {ea,€-}) is a pomset- 
single-divergence of (Nz, Act) || (Na, Act), while it is not an augmentation of any extension of 
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Figure 3-7: An Example of the Necessity of Concurrent Divergences 
any pomset-single-divergence (q, {d}) of (Ni, Act) || (Ns, Act). 


3.3. Fully Abstract Semantics 


It turns out that [-J“*", [-]Miet, and [-J2, make more distinctions than are apparent to a 
single experimenter. Namely, single experimenters can only detect differences between pomsets 


with interval orderings [32, 47]. We repeat the definition here: 


Definition 3.3.1 A partial order < is is an interval ordering iff whenever both w < a and 
y < 2, then either w < zor y < x. A pomset p is an interval pomset iff <, is an interval 
ordering. 


It is well-known (cf. [14]) that: 


Lemma 3.3.2 ((14]) Every interval ordering, <,, is order-isomorphic to a set of intervals of 
the real line, where by definition, (interval w) < (interval 2) iff every point in (interval w) 
strictly precedes every point in (interval 2). 
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We define a corresponding version of “interval pomset-divergences”: 


Definition 3.3.3 A pomset-divergence (p, D) is an interval pomset-divergence iff p is an in- 
terval pomset and D = {d} for some d that contains all the non-maximal events of p, i.e., 
d > Events, — maz(p). 


We define the interval-MAy-, interval-MUST-, and interval-Testing semantics by restricting 
the [-]*", [-]¢iey, and [Jie semantics to interval pomsets and interval pomset-divergences: 
Definition 3.3.4 Let P be a set of pomsets, let PF be a set of pomset-failures, and let 
PD be a set of pomset-divergences. Then intervals(P) is the set of interval pomsets p € P, 
intervals(PF) is the set of (p, fF’) € PF such that p is an interval pomset, and intervals(PD) 


is the set of interval pomset-divergences (p, D) € PD. 


For any alphabet Act, let intervals((P, Act)) “ (intervals(P), Act), and let 


intervals((PF,PD, Act)) “et (intervals(PF), intervals(PD), Act). 


Definition 3.3.5 For any WT Net (N, Act), 


Var def intervals([N]“**) 


intvl 


Lye af intervals( LN Mie) ) 


intvl-y split-7 
a f a 
Lv = EN IAT. ENT) 


We have: 


Theorem 3.3.6 The [-JMAy, [-JNac3, and [-]ii, semantics are respectively adequate for MAyY- 


equivalence, MUST-equivalence, and Testing-equivalence. 


Proof. We first note that all linear orderings are interval orderings. The proof is then 
identical to that of Theorem 3.2.37. 7 


The following facts will be useful in proving the compositionality of the interval semantics: 
Proposition 3.3.7 Let p, 91, p2,q be pomsets. 

1. If p is an interval pomset and q is a prefix of p, then g is an interval pomset. 

2. a.pis an interval pomset iff p is an interval pomset. 

3. p|f] is an interval pomset iff p is an interval pomset. 

A. pi; p2 is an interval pomset iff p,;./ and ps are interval pomsets. 

5. ¢ € chotce(a.a,az)(p) is an interval pomset iff p is an interval pomset. 


6. If g is an interval pomset and q = p — a for some pomset p, then there is some interval 
pomset p’ > p such that g = p’ — a. 


7. If gis an interval pomset and g € augment(p,||ap2), then there are interval pomsets p\, p4 
with pi, = pi, py = po such that ¢ € augment(p)||ap5). 
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8. If q is an interval pomset and ¢ € augment(split,, 4, ,2,)(p)) for some pomset p, then there 
is some interval pomset p' > p such that q € augment(split(, a, a,)(P"))- 


9. If g is an interval pomset and qg € augment(0-split(p)) for some pomset p, then there is 
some interval pomset p’ > p such that ¢ € augment(0-split(p’)). 


Proof. We prove the case for hiding. Suppose gq is an interval pomset and gq = p—a 
for some pomset p. Let p’ have the same events with the same labels as p, and let <,, be 
a partial order that is maximal with respect to the following conditions: (i) <, contains <,, 
and (ii) <,- agrees with <, on all non-a-labeled events of p. Clearly, such a pomset p’ exists 
since <, satisfies conditions (i) and (ii). Furthermore, it is easy to see by construction of p’ 
that p’ -a =p-—az=q. Let « <, y and z <, w, and suppose for the sake of contradiction 
that « ~, w and z ¢, y. Then by maximality of <,., there must be some non-a-labeled 
events x,y’, 2’,w’ such that 2’ <, a7, y < y', 2 <p 2%, w <p wv’, and a’ g, w' and 2 gy y’, 
contradicting the fact that p—a is an interval ordering. Hence, either « <, w or z <, y after 
all, and so p’ is an interval pomset. 

The remaining cases are straightforward and are left to the reader. 7 


Similarly: 


Proposition 3.3.8 Let (p, D,), (pi, D1), (pe, D2), (q, Dy) be pomset-divergences. 


1. If (p, D,) is an interval pomset-divergence and (q, D,) is a prefix of (p, D,), then (¢, D,) 
is an interval pomset. 


2. a.(p, D,) is an interval pomset-divergence iff (p, D,) is an interval pomset-divergence. 
3. (p, D,)[f] is an interval pomset-divergence iff (p, D,) is an interval pomset-divergence. 


4. (pi; po, {d U Events,,: d € Ds}) is an interval pomset-divergence iff p,;./ is an interval 
pomset and (pz, Dz) is an interval pomset-divergence. 


5. (q,D,) € 0-1-chotce(aaz,az)((p, Dp)) is an interval pomset-divergence iff (p, D,) is an in- 
terval pomset-divergence. 


6. If (¢, D,) is an interval pomset-divergence and (¢,D,) = (p,D,) — a for some pomset- 
divergence (p, D,), then there is some interval pomset-divergence 
(p', Dp) € augment(extend4-¢((p, D,))) such that (¢,D,) = (p', Dp) — a. 


7. If (¢,D,) is an interval pomset-divergence and (q,D,) € augment((pi,D1)\|4(p2, D2)), 
then there are interval pomset-divergences (pi, D‘),(p5,D%) with (pi,D)) = (m1, D1), 
(Po, Do) = (p2, D2) such that (gq, Dy) € augment((p;, Di)||4(P2, D>): 


8. If (¢, D,) is an interval pomset-divergence and (q, D,) € augment(0-1-splitia a, .a_\((P; Dp))) 
for some pomset-divergence (p, D,), then there is some interval pomset-divergence (p’, Dy) = 
(p, Dp) such that (q,D,) € augment(0-1-splitia a, a), Do)))- 
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Proof. We prove the case for hiding. Suppose (q,D,) is an interval pomset-divergence 
and (¢, D,) = (p, D,) — a for some pomset-divergence (p, D,). Let p’ be defined as in the proof 
of Proposition 3.3.7 and let D,, = {d’}, where d! = down,:(d) U (Events, — maz(p’)) for some 
dé D. By the earlier proof and by construction of D,/, clearly, (p’, D,:) is an interval pomset- 
divergence and (p,D,) C (p, Dp’) X (p', Dp’). Since (q, D,) is an interval pomset-divergence, 
D, = {d,} for some d, D Events, — mazx(q); it is then easy to see from the construction of 
(p', Dp) that (p', Dp:) — a = (¢q, Dz), proving this case. 

The remaining cases are straightforward and are left to the reader. 7 


We will also use the following fact about interval pomset-divergences: 


Lemma 3.3.9 Let (p,D,) be a (possibly non-interval) pomset-divergence and let (q¢,D,) be 
an interval pomset-divergence with (p,D,) CE (q,D,). Then there is some interval pomset- 
divergence (p’, {d’}) with (p’, {d’}) C (q,D,) such that p’ is a prefix of p and d’ D d for some 
dé D,. 


Proof. By the definition of interval pomset-divergences, D, = {d,} for some d, D 
Events, — maz(q). 

We first show that there is some d € D, such that (p,{d}) C (¢,{d,}). The proof is by 
induction on n = |Events, — Events,|. The base case of n = 0 is obvious. For the other 
base case, let n = 1, and let {x} = Events, — Events,. Clearly, there is some d € D, with 
d C down,(x); furthermore, d C down,(x) C Events, — mazx(q) C d,, and so (p, {d}) CE (¢, {d,}). 

For the inductive step, suppose that n > 1. Let {z,...,2,} = Events, — Events,, and 


assume wlog that x, € max(q). It is easy to see that (¢q— #,,{d, — x,}) is an interval pomset- 
divergence and that (p,D,) C (q¢- 4%, {d, — %,}); by the inductive hypothesis, there is some 
d, € D, with (p, {d,}) C (q-an, {d,—-2,}). If d, C down,(z,,), then clearly (p, {di}) E (¢, {d,}). 
Otherwise, there is some y € d; such that y £, &,; we recall that y <, 2; forall l <i<n 
since (p,{di}) C (q— an, {d, — &,}). Now consider any z <, 2,3 since q is an interval ordering, 
it follows that z <, 2; for all 1 <i<n. Thus, down,(2,) C down,(2;) for all 1 <i <n. Since 
(p, Dy) E (q, {d,}), there is some d € D, with d C down,(2,) C down,(2;) for all 1 <i <n. 
Furthermore, d C down,(a,) C Events, — max(q) C d,, and so (p, {d}) C (¢,.D,) as desired. 
Now let p’ be the restriction of p to the set {z € Events, : d Z down,(x)}, which is easily seen 
to be a downward-closed subset of Events,. Furthermore, let d’ = dU(Events, —max(p’)), which 
is easily seen to be a downward-closed subset of Events,. Since d C d, and Events,,—maz(p’) C 
Events, — maz(q) C d,, it is easy to see that d’ C d,. Let x € d’ and let z € Events, — Events,,. 
For one case, let « € d; then it is easy to see that « <, z. For the other case, let x € d’ — d; 
then there is some a’ € p’ such that x <, a’ and d ¢ down,(x’); so there is some y € d 
with y ¢, x’. It is easy to see that y <, z, and since q is an interval pomset, it follows that 
xz <, 2%, proving that (p’, {d’}) C (¢, {d,}). Clearly, prefixes of interval pomsets are also interval 
pomsets, from which it follows easily from the construction of d’ that (p’, {d’}) is an interval 
pomset-divergence, proving the lemma. : 


e- 


Theorem 3.3.10 The [-]MAY, [-J8S25, and [-]ivas, semantics are compositional for split re- 
finements, choice refinements, alphabet expansion and shrinking, and all of our CCS/CSP 


operators. 
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Proof. Let Act be a finite alphabet containing \/, let a,az,ap,a,,a_ € Act, let A C Act, 
let f be a function from Act to Act such that for all a € Act, f(a) = V/ iff a = V/, and let Act’ 
be a finite set of labels containing \/. Furthermore, let (NV, Act), (Ni, Act), (No, Act) be WT 
Nets. 


The following identities, where the operations on the right-hand side of the equations are 
those defined in Definition 3.2.28, follow immediately from the augmentation-closure of the 
[-]“*Y semantics, Proposition 3.3.7, and Theorem 3.2.30. The details are straightforward and 
are left to the reader. 


[(N, Act) grow Act']MAY = [(N, Act)]MAY grow Act’ 


intvl 


[(N, Act) shrink Act'|MAY = [(N, Act) MAY shrink Act’ 


intvl 


[a.(N, Act) ]MAY = a. DN, Act) nay 


intvl 


[7.(N, Act) MAY = (CN, Act) MAY 


[(N, Act)\a]MAr = CN, Act) ear \a 


[(N, Act)[f] ity = (N, Act) i wi LI | 


[(N, Act) — aJMAY = [CN, Act) ]MAr — a 


[(N1, Act); (No, Act) MAY = [CN1, Act) MAT; [(No, Act) nay 


intvl 


[(N1, Act) a) (No, Act) MAY = (Ni, Act) MAY ®@ [(No, Act) vAN 


intvl 


[(N., Act) + (No, Act) : AY = (Ni, Act) AY TM [(No, Act) MAY 


intvl 


[(N1, Act) || (No, Act)JMAY = intervals([(N1, Act) May || [(Ne, Act) Mar) 


intvl intvl 


[(Ni, Act)||a(No, Act)JMAY = intervals([(Ni, Act) }eey |laug 4 T(Ne, Act) eer ) 


intvl intvl 


[(N1, Act) | (No, Act)JMAT = intervals([(N1, Act) MAY | [UNe, Act) Jeary) 


intvl intvl 


[chotce(aazan)((N, Act) Ine = choiceca a, an (LN, Act) nar ) 


intvl 


[spliteaa,,az)(N; Act))|May = intervals( splitea a,,a,)(I(N> Act) Ay )) 


intv intvl 
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The following identities follow immediately from the augmentation-closure of the [- 
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MUST 
split-y 


semantics, Proposition 3.2.14, Proposition 3.2.18, Proposition 3.3.8, Proposition 3.3.9, and 
Theorem 3.2.46. The operations on the right-hand side of the equations are those defined in 
Definition 3.2.45. We prove the case for CSP-style parallel composition; the remaining equalities 


are left to the reader. 


[(N, Act) grow Act’ 
[(N, Act) shrink Act] Mee" 


[a.(N, Act] 


[7.(N, Act)], 


[(N, Act) \a]e ee 


[(N, Act) LARS? = 
[(N, Act) — a] eee 


[(Ni, Act); (Ne, Act) ery 


[(.Ni, Act) +r (No, Act) nay = 
[(Ni, Act) © (No, Act), = 
[(M1, Act) || (No, Act), = 
[(N1, Act)|la(No, Act)Tinnty = 
[(Ni, Act) | (Neo, Act) ]nany = 

[choice(aar,any((N, Act) Iinwey = 

[spliteaay,a_)((N, Act) Tine = 


MUST 
intvl-y 


intervals([(N, Act) grow Act’) 


MUST : ! 
intviy Shrink Act 


[(N, Act) 


intervals(a pref [(N, Act)] ey") 


intvl-y 


intervals(r pref [(N, Act)}e re") 


intvl-y 


intervals([(N, Act)]iivy Pst a) 


intervals([(N, Act) ny rename with f) 


intervals([(N, Act)]invi, hide a) 

intervals([(N,, Act) itv seq [(No, Act) avy) 
[(M1, Act) Iiniviy tar [(N2, Act) Tine 

[(N1, Act) iw internal choice [(N2, Act) iw 
intervals([(N1, Act) ]inway | [(N2, Act) inwy) 


intervals([(Ni, Act) Jenny 


intvl-y 


CSP-parallel yyy, [(N2, Act) 


vy) 
intvl-y 


intervals([(Ni, Act) ey + 


intvl-y 


CCS8-parallel (Ns, Act)) 


MUST 


intervals(choice(a,a; van (LN, Act) intv-y)) 


MUST 


intervals(splity, 4, a_)(L(N, Act) ]inviey)) 


We prove the equality for CSP-style parallel composition. It is easy to see that one direction 
follows easily from Theorem 3.2.46 and the monotonicity of all the operations. To prove the 
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other direction, we first recall from the proof of Theorem 3.2.46 that: 


pomset-failures(y + (dupl-split(( Ni, Act)||a(Ne, Act)) grow {y})) = 
0-split({(p, F): (pi, F1) © 1-2-respect(pomset-failures(y +x (dupl-split({N1, Act)) grow {y}))), 
(po, F2) © 1-2-respect( pomset-failures(y +r (dupl-split({ No, Act)) grow {y}))), 
and p€ pillaps, F-A' CF AN Fy and FNA CRHUF, 
where A’ = {a;:a€ Aand0 <i < 2}U{V/}) 


pomset-divergences(y + (dupl-split((N1, Act)||a(N2, Act)) grow {y})) = 
0-split(U{(p1, D1) ||a'(p2, Da) : 

(pi, Di) € 1-2-respect(pomset-divergences(y + (dupl-split((N1, Act)) grow {y}))) 
U 1-2-respect(pomset-failures(y + (dupl-split((N,, Act)) grow {y}))), 

(pz, D2) © 1-2-respect(pomset-divergences(y + (dupl-split((No, Act)) grow {y}))) 
U 1-2-respect(pomset-failures(y + (dupl-split((No, Act)) grow {y}))), 

D, and Dz are (possibly empty) downward-closed subsets of 

Events,, and Events,,, respectively, and D, U Dz £ 9, 

and A’= {a;:@€ A andd <i < 2}U{/) 


Let (r, D,) € snd([(M1, Act)||4(No2, Act) JMU" ); then 


intvl-y 


(r, D,) € intervals(augment( extend 4.+((p, Dp)))) 


for some pomset-divergence (p, D,) of (N,, Act)||4(.No, Act). By Lemma 3.2.16 and Lemma 3.3.9, 
there is some interval pomset-divergence (q, {d’}}) such that (r, D,) € augment(extend4.:((q, {d’}))), 
q is an augmentation of a prefix of p and d’ D d for some d € D,. By Proposition 3.2.14, 


(q,{d'}) € extends; ( augment( pomset-divergences (N,, Act)||4(N2, Act)))). 


It then follows easily from the highlighted fact above and the definitions of augment and 0-split 
that (q, {d’'}) € extend, .(augment(0-split((p’, Dp)))) for some (p', Dy) € (pi, D1) ||a(p2, P2)), 
where (p;, D1), (po, D2) are appropriate pomset-divergences or pomset-failures. 

It follows from Lemma 3.3.9 and Proposition 3.3.8 that there are some interval pomset- 
divergences (q', Dy) = (p', Dp’), (a, Da) = (pi, P1), (G2, Da.) = (pe, D2) such that (q, {d’}) € 
extend 4-4( augment( 0-split((q’, Dy)))) and (q', Dy) € augment((q, Dy, )|la'(q2, Dg.) ). From the 
definition of 0-splt and augment and Lemma 3.2.16, it is easy to see that 


(q,{d'}) € augment( extend 4-¢( 0-split( (a, Dq,)||4:(¢2, Dq)))) 


The desired equality then follows easily. The proof for pomset-failures is similar, except that it 
uses Proposition 3.3.7 instead of Proposition 3.3.8. 

Proposition 2.2.18 and the equalities for prefixing and CCS choice together imply the com- 
positionality of internal choice. Proposition 2.2.19 and the equalities for alphabet expansion 
and shrinking, CSP-style parallel composition, choice refinements, and hiding together imply 
the compositionality of CCS-style parallel composition. : 


Theorem 3.3.11 The [-JMA), [-JMi.5, and [-JEii7, semantics are respectively fully abstract for 


MAY-equivalence, MUST-equivalence, and Testing-equivalence with respect to alphabet expan- 
sion, split refinements, choice refinements, and CCS choice. Furthermore, only split and choice 
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J]May 
intvl * 


refinements are necessary for | 


Proof. By Theorem 3.3.6 and Theorem 3.3.10, it remains to prove distinguishability. 
Let (Ni, Act;),(No, Actz) be WT Nets. For one case, let (PT), Act;) = [(Ni, Acti) ]MAT, let 


intvl ? 


(PT2, Actz) = [(No, Actz) MAT, and suppose that (PT), Act;) #4 (PT>, Actz). If Act, # Acta, it 
is easy to see that the nets are MAY-inequivalent. Otherwise, Act; = Act, = Act and PT, F 
PT,; we assume wlog that there is some interval pomset p € PT, — PT,. Let n = |Events,|, 
and let Act’ = {ai ai, aj:a€ Act andl<j< n} be distinct symbols not in Act. Finally, let 


C|-] be the following net context: 

C[-] = o(6(- grow Act’)), 
where 6 is the sequence of choice refinements (chotce(a qi -_ an)i@e€ Act) (which can be pro- 
grammed by repeated use of binary choice refinements), and o is the sequence of split refine- 
ments (splitegr qi at) +++ SPlittan an any? @ € Act). 

We will perform corresponding split and choice refinements on pomsets. Using Defini- 
tion 3.2.25, we can overload notation and let 6 also represent the obvious sequence of choice 
refinements on pomsets. For concreteness, we will “fully split” all events in p, and so, using 
Definition 3.2.26, we let o! = (splitias a1 a1,p) «++ SPlitcan an ang)? @ © Act). 

Since n = Events,, it is easy to see that there is some pomset q € o’(6(p)) such that q¢ 
is an augmentation of a pomset-trace of C[N,] and all labels in g are distinct. Furthermore, 
since we implicitly equate isomorphic pomsets, it is easy to see that we can assume wlog that 
Events, = {(y,1),(y,2)|y € Events, }, 1,((y,2)) = (Ip(y))? for some 1 < k < n, and (y,%) <, 
(y',7) iff either y <, y’ or (y =, y’ and 2 < 7). Clearly, there is a unique (injective) mapping [ 
from events x of p to labels a’, where [(a) = a’ iff I,(a) = a and [,((#,1)) = a‘. For any event 
« of p, we can regard the (unique) [(2),-labeled and I()2-labeled events of q as respectively 
representing the “beginning” and “end” of the interval corresponding to «. Now, since p is an 
interval pomset, it follows by Lemma 3.3.2 that there is a linearization v of q such that (the 
unique) ai-labeled event precedes (the unique) bj-labeled event in v iff I~!(a’) <, I71(b/). 

Clearly, v € traces(C|N,]). If v € traces(C[N2]), there would be some pomset-trace p’ of 
N and some q’ € o'(6(p’)) such that v is a linearization of q’; thus, all events in g’ must have 
distinct labels. Clearly, there is a unique (injective) mapping I’ from events x of p’ to labels 
a’, where I(x) = a’ iff L,.(a) = a and U,,((a,1)) = a). It is then easy to see that [~'o I’ isa 
label-preserving order-augmenting bijection from p’ to p. But by definition of [-]MAYy, this would 
imply that p € PTs, a contradiction. Thus, v € traces(C[N,]) — traces(C[N2]) after all, and so 
by Proposition 3.1.4, C[N,] and C[N2] are MAY-inequivalent, proving this case. 

To prove that [-JMU%* is fully abstract, let (PF,,PD,, Act) = [(N, Acti) JMU", let 


intvl-y intvl-y? 


(PF5, PDz, Acty) = (No, Acts) JMCP, and suppose that (PF,, PD), Act) # (PF, PDz, Act). 
If Act’, 4 Act}, it is easy to see that Act, # Act, and hence the nets are MUST-inequivalent. 
For the next case, suppose PD, #4 PD.; we assume wlog that there is some interval 
pomset-divergence (p, {d,}) € PD, — PDs. Using Proposition 3.2.15, Proposition 3.2.17, and 
Lemma 3.3.9, we can assume wlog that there is some d C d, such that (p, {d}) is an augmenta- 
tion of a pomset-divergence (r, {d,}) of y +x (dupl-split((N,, Act)) grow {y}); the details are 
straightforward and are left to the reader. From the definition of y+), and the definition of WT 
Nets, r, and hence p, does not have any y-labeled or \/-labeled events. By Lemma 3.2.41, we 
can assume wlog that r, and hence p, does not contain any ag-labeled events for any a € Act. 
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By Proposition 3.2.38, it is easy to see that for all a € Act, every a,-labeled event is maximal 
in r; thus, we can assume wlog that for all a € Act, every a,-labeled event is also maximal in p. 
Again using Proposition 3.2.38, it follows that d,, and hence d, contains only ao-events; thus, 
we can assume wlog that d, contains all and only the ao-events of p. Let Act’, 7, and 6 be as 
in the previous case, and let 


Cl] = 7 +m o(6(- grow Act’ U {7})). 


Furthermore, let n = |Events,|, and let 6’ be the sequence (chotce(a,a1,..an): @ € Act) followed 
by the sequence (chotcea,at,...a”) : a € Act). We let o’ be as in the previous case. 

It is easy to see that there is some pomset-divergence (q, {d,}) € o’(é’((p, {d,}))) such that 
all labels in g are distinct, d, contains all and only the ay-labeled events of ¢ for all a € Act, and 
for some d’ C d,, (q,{d’}) is an augmentation of a pomset-divergence of C[.N,]. Furthermore, 
in qg all ag-labeled events of p have been “fully split,” while all a,-labeled events of p have been 
relabeled. Again, since we implicitly equate isomorphic pomsets, it is easy to see that we can 
assume wlog that 


e Events, = {(y,1),(y,2)|y € Events, and [,(y) = do for some a € Act} U 
{(y,1)|y € Events, and l,(y) = a, for some a € Act} 


e 1,((y,2)) = (L(y))f for some 1 < k < n, and 
© (y,%) <q (y’, J) iff either y <, y’ or (y =», y’ andi < J). 


Clearly, there is a unique mapping J from events x of p to labels a’, where I(x) = a’ iff 
L,(x) = a and 1,((z,1)) = a|. Using similar reasoning as in the previous case, it follows by 
Lemma 3.3.2 that since p is an interval pomset, there is a linearization v of g such that (the 
unique) aj-labeled event precedes (the unique) b/-labeled event in v iff I~'(a‘) <, I71(W). 
Clearly, v € D(CLN,]). If v € D(CLN2)), let v’ be the minimal prefix of v with v’ € D(CLNs)). 
Then there must be some pomset-divergence (p’, {d,}) of y +i (dupl-split((N2, Act)) grow {y}) 
such that p’ contains no as-labeled events and some (q’, {d,}) € o’(é'(p’)) such that v’ is a 
linearization of gq’. By the same reasoning as before, we can assume without loss of generality 
that all a;-labeled events in p’ are maximal, and d,, contains exactly the ao labeled events of 
p for all a € Act. Clearly, there is a unique mapping J’ from events x of p’ to labels a’, where 
I'(e) = a iff l(a) = a and l,((2,1)) = a). It is then easy to see that I~! 0 I’ is a label- 
preserving order-augmenting bijection from p’ to a downward-closed subset of p. Furthermore, 
for all « € p— I~'(I(p’)) and all y € dy, it is easy to see that the I’(y)s-labeled event exists 
and is in v’, and the /,(a,1)-labeled event is in v — v'. Hence, I~'(I'(y)) <, @. Furthermore, 
since d, and d, contain exactly the the ao-labeled events of p and p’, respectively, it is easy to 
see that I~'(I(dy-)) C dp, and so I~*(I'((p', {dp'}))) E (d, {dp}). But by definition of [-JMIT5, 
this would imply that (p,{d,}) € PD», a contradiction. Thus, v ¢ D(C[No]) after all, and so 
by Proposition 3.1.4, C[N,] and C[N2] are MUST-inequivalent, proving this case. 

For the last case, suppose that PD, = PD, but PF, # PFy; we assume wlog that there is 
some interval pomset-failure (p, F,) € PF, — PF such that (p, {Events, }) ¢ PD, UPD». Thus, 
(p, F,) is an augmentation of a pomset-failure (r, F,) of y +4 (dupl-split((.N,, Act)) grow {7}). 
It is easy to see from the definition of [-JM2y> that r, and hence p, cannot contain any y- 


intvl-y 
labeled event, while it follows from the definition of WT Nets that r, and hence p, can contain 
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at most one \/-labeled event. Furthermore, from Lemma 3.2.41, we can assume without loss 
of generality that r, and hence p, does not contain any a» labeled events, for any a € Act. 
Finally, using Proposition 3.2.38, it is easy to see that for all a € Act, any a,-labeled event 
is maximal in r; thus, we can assume wlog that for all a € Act, all a,-labeled events are 
also maximal in p. Let Act’, o, 6, and C[-] be as in the previous case. Furthermore, let 
n = |Events,|, and let 6’ be the sequence (choice;a,.a1,..an): @ € Act —{,/}) followed by the 
sequence (choice(q,ai,..ar)i@ € Act—{,/}) followed by choice,y pp). We let o’ be as in 
the previous cases. It is easy to see that there is some pomset g € o’(6’(p)) such that all 
labels in q are distinct and (q,f,) is an augmentation of a pomset-failure of C[.N,], where 
F, = {aj: a9 € FL} U ({y,/} 9 #,). Furthermore, in g all ag-labeled events of p have been 
“fully split,” while all a ,-labeled events of p have been “half-split.” Again, since we implicitly 
equate isomorphic pomsets, we can assume that g has the same form as in the previous case. 
Clearly, there is a unique mapping J from events x of p to labels a‘, where I(x) = a’ iff 
l,(v) = a and I,((a,1)) = a). Using similar reasoning as in the previous case, it follows by 
Lemma 3.3.2 that since p is an interval pomset, there is a linearization v of g such that (the 
unique) aj-labeled event precedes (the unique) b/-labeled event in v iff I~'(a‘) <, I71(b). 
Clearly, (v, F,) € F(CLM]). If vo € D(CLN2]), then it is easy to show by the same reasoning 
as the previous case that (p,{Events,}) € PD», a contradiction. Thus, if (v, fF) € F(CLN=»]) 
there would be some pomset-failure (p’, fF.) of y + (dupl-split((No, Act)) grow {y}); and some 
qd € o'(é'(p’)) such that v’ is a linearization of gq’ and F, C {az: ao € Fy} U ({y, V3 9 £,,). 
Clearly, there is a unique mapping J’ from events x of p’ to labels a’, where I'(x) = a’ iff 
L,(a) = a and 1,.((@,1)) = aj. It is then easy to see that [~' 0 I’ is a label-preserving order- 
augmenting bijection from p’ to p. Furthermore, it is easy to see that F, C F,. But by 
definition of pomset-failures and [-]i{,, this would imply that (p, F,) € PFs, a contradiction. 
Thus, (v, F,) ¢ F(CLN2]) after all, and so by Proposition 3.1.4, CLN,] and C[N»] are MusT- 
inequivalent, proving this case and the theorem. : 


We now observe that the [-]“**,[-JSicy, and [-]iii3 semantics make strictly more dis- 
tinctions than the [-JMAY,[-]N¢5, and [-]ii, semantics, respectively, and hence are not fully 


abstract: 


Theorem 3.3.12 The [-]"**, [-Joie;, and [-Jii) semantics are respectively not fully abstract 
for MAY-equivalence, MUST-equivalence, and Testing-equivalence with respect to the WT Net 


operators. 


Proof. Let N, and N, be the nets pictured in Figure 3-8, let Act = {a,b}, and let p be 
the pomset pictured in Figure 3-8. It is straightforward to show that (N,, Act) +y, (No, Act) 
and (N2, Act) have equivalent [-]*\7, meanings. However, they have different [-]““Y mean- 
ings, since p is a non-interval pomset-trace of (Ni, Act) but not of (Nz, Act). Furthermore, 
they have different [-JNy°+ meanings, since (p[f],), where f(a) = ap and f(b) = bo, is a non- 
interval pomset-failure of the 7 +3, dupl-split version of (N,, Act) +4 (No, Act) but not of the 
7 +m dupl-split version of (Nz, Act). Thus, it is an immediate consequence of Theorem 3.3.11 
and the definitions of the semantics that [-]“*”, [-Jiie>, and [-]iia-, cannot be fully abstract. = 

In addition to process equivalence under experiments, Hennessy [19] presents a natural form 
of MAY-, MUST-, or Testing-approximation, in which a process, p, is said to MAY-approximate 
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Figure 3-8: Interval Example 


(MUST-approximate) a process, q, iff g may (must) pass every experiment that p may (must) 
pass, but not necessarily the converse. Our [-]Ra7, [Uitac,, and [lity semantics are, in 
fact, also fully abstract with respect to MAY-, MUST-, or Testing-approzimation, where the 
[Jar Semantics is ordered by set-theoretic containment of the pomset-traces, and the [-Jii.y 
semantics is ordered by component-wise reverse containment of the pomset-failures and pomset- 
divergences. These orderings will be presented in detail in Chapter 4. The proofs of full 


abstraction for process approximation are identical to the proof of 3.3.11. 
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Chapter 4 


The Semantic Domains 


In this chapter, we show that all the semantics presented in Chapter 3 map WT Nets to 
elements of complete partial orders (cpo’s) and and that all our process operations correspond 
to continuous functions on these cpo’s. In order to prove these properties, we give an abstract 
characterization of each of our spaces of process meanings. These results together provide a 
semantic foundation for inductive (fixed-point) reasoning about recursively-defined processes in 
the standard manner (cf. [18, 19]). 

We also prove in this chapter that all our semantic domains are algebraic cpo’s, in the sense 
that all elements are fully determined by the compact (finitely-specified) elements that approx- 
imate them. Furthermore, all compact elements of these cpo’s are definable as the meanings of 
WT Nets. These results, although technically rather hard, are important because they guaran- 
tee that our full abstraction results from Chapter 3 will continue to hold for recursively-defined 
processes. 


4.1 Standard Definitions 


We begin with some standard definitions about algebraic complete partial orders and continuous 
functions, cf., [18, 19]. 


Definition 4.1.1 A partial order is a pair (D,Cp), where D is a set and Cp is a binary relation 
on DP that is reflexive, anti-symmetric, and transitive. 

A element x € D is the least element of D iff « Ep y for every y € D. Let A be a subset 
of D and « an element of A. Then « is an upper bound of A iff y Ep x for every y € A. We 
say that x is a least upper bound of A iff, in addition, x Lp z for every upper bound z of A. It 
follows from the anti-symmetry of Ep that least upper bounds, if they exist, are unique. We 
use ||, A to denote the least upper bound of A, when it exists. 

A is a directed subset of DP iff it is non-empty and for all pairs of elements 7,, 22 € A, there 
is some a3 € A such that v3 is an upper bound of the set {2,, x2}. 

The partial order (D,Cp) is a complete partial order (cpo) iff it has a least element and 
every directed subset of D has a least upper bound. 

An element « € D is compact iff for every directed set A C PD such that « Ep || A, there 
is some y € A with « Cp y. A cpo (D,Cp) is algebraic iff for every element z € D, the set 
M, = {x €D: 2 is compact and x Ep 2} is directed and z =|] M.. 
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Definition 4.1.2 Let (D,Cp) and (€,Ce¢) be cpo’s and let f be a function from D to €. 
Then f is continuous iff for every directed subset A C D, f(A) is a directed subset of € and 


f(Lp A) =L- f(A). 


Definition 4.1.3 Let (D,Cp) be a cpo and let f: D—D be a function. An element x € D is 
called a fixed point of f iff a = f(a). It is called the least fired point if, in addition, « Cp y for 
every fixed point y of f. 


The following well-known theorem ensures that complete partial orders and continuous 
functions support fixed point reasoning about recursively-defined processes, cf., [18, 19] for the 
proof. 


Theorem 4.1.4 (standard) Let (D,Cp) be acpo and let f: D—D be a continuous function. 
Then f has a least fixed point (in D). 


4.2 The Unsplit Semantics 


This section gives an abstract characterization of the [-]”*%, [-J“°°", and [-]7*°°" semantics on 
WT Nets, shows that they form algebraic cpo’s, and proves that all the corresponding process 
operations from Chapter 3 are continuous functions on these cpo’s. 

The following proposition will be useful in proving these properties of our semantic domains: 


Proposition 4.2.1 Let Act be a finite set of labels, let PT’ be a prefix-closed set of pomset- 
traces over Act, let PF be a prefix-closed set of pomset-failures over Act, and let PD bea 
prefix-closed set of pomset-divergences over Act. Then 


e augment(ertend4-;(PD)) is prefix-closed and extension-closed over Act. 
e augment( PT) is prefix-closed and augment( PF’) is prefix-closed. 


(p, D,) € PD for some D,}, then 


yi 
e If PFD {(p,0): 
) U implied- failures y,,(augment( extend4.;(PD))) is prefix-closed. 


augment( PF 


Proof. The extension-closure of augment(extend,.;(PD)) is a simple consequence of 
Proposition 3.2.15 and the prefix-closure of PD. To show that augment(extend4,;(PD)) is 
prefix-closed, suppose that (p, D,) E (¢,D,) x (7, D+), (p, Dp) € PD, and (7’, D,,) is a prefix 
of (r, D,). By Proposition 3.2.17, there is some prefix (q’, D,) of (¢,D,) such that (q, Dy) x 
(r’, D,). It is then a simple consequence of Proposition 3.2.17 and the prefix-closure of PD 
that (r’, D..) € augment(extend4.;(PD)). 

The prefix-closure of augment( PT) and of augment( PF’) follows immediately from Propo- 
sition 3.2.17 and the prefix-closure of PT and PF. 

For the last part of the proof, let (r, F’) € implied-failures 4 ,,(augment(extend4.;(PD))) and 
let r’ be a prefix of r. Thus, there is some (p,D,) € PD and some (q,D,) with (p,D,) EF 
(q,D,) x (7, {Events,}), and we can assume without loss of generality that D, = {Events, }. 
Let q' be the restriction of ¢g to r’; it is easy to see that q’ is a prefix of g and q' <r’. If qd isa 
prefix of p, then (p, 0) € PF and the prefix-closure of PF imply that (¢,0) € PF, and so (r,@) € 
augment( PF). For the other case, when q’ is not a prefix of p, it follows by Proposition 3.2.17 
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that (p', Dy) CE (¢q’, {Events,}) < (r’, {Events,:}) for some prefix (p', D,:) of (p, Dp). Thus, it 
follows from the prefix-closure of PD that (r’,@) € implied-failures 4 ..(augment(extend4.4(PD))), 
completing the proof. : 


We now give the abstract characterizations of the [-]“*Y, [-J“°7, and [-]7°°" semantics. 


Definition 4.2.2 Let Act be a finite set of labels containing the distinguished symbol \/. A 
pair (PT, Act) is said to be MAy-respecting iff PT is a set of pomset-traces over Act such that 


1. Oe PT. 
2. PT is prefix-closed. 
3. PT is augmentation-closed. 


4. p€ PT and p contains a \/-labeled event implies that there is exactly one such event and 
this event is the unique maximum event of p. 


Definition 4.2.3 Let Act be a finite set of labels containing the distinguished symbol \/. A 
triple (PF, PD, Act) is said to be MustT-respecting iff PF is a set of pomset-failures over Act 
and PD is a set of pomset-divergences over Act such that the following properties hold: 


1. Closure properties of PF: 


a) (0,0) © PF. 
b 


) 
) 
(c) 
(d) 
(e) 


( 
(b) PF is prefix-closed. 
P 

( 
( 


2. Closure properties of PD: 


F is augmentation-closed. 
) € PF and F’ C F implies that (p, F’) € PF. 


e ) € PF, c€ Act, and (p;c,@) ¢ PF implies that (p, FU {c}) € PF. 


pk 
pk 
PD is prefix-closed. 

PD is augmentation-closed. 


PD is extension-closed under pomset-divergences over Act. 


if (po, D) € PD, 1r1,...,7r~ are downward-closed subsets of po, and for all n > 0, 
there is some pp4i With (pryi,D) € PD and some {21,...,%,} C max(pn41) 
such that pp4; — {@1,--.,¢e} = Pn and r; = downy, ,,(#;) for 1<i<k, 

then (po, DU {ri,..., re }) € PD. 


(e) (p,D) € minc(PD) implies that p contains no \/-labeled events. 


3. Mixed closure properties: 


(a) (p, F’) € PF and (p, {Events,}) ¢ PD and p contains a \/-labeled event implies that 
there is exactly one such event, this event is the unique maximum event of p, and 
(p, Act) € PF. 
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(b) (p,D) € PD and F C Act implies that (p, F) € PF. 


(c) if (po,0) € PF, 1ri,...,1r, are downward-closed subsets of po, and for all n > 0, 
there is some (pn4i,@) € PF and some {2,,...,%,} C max(pn41) 
such that pp4i — {21,--.,¢e} = Pn and r; = downy, ,,(#;) for 1<i<k, 
then (po, {r1,.--,7r}) € PD. 


We remark that closure conditions (2d) and (3c) are necessary and sufficient to ensure that 
unbounded concurrency in PF or PD is possible only in the presence of appropriate causal 
divergences, which themselves may be concurrent. 


Definition 4.2.4 Let Act be a finite set of labels containing the distinguished symbol \/. A 
pair ((PT, Act), (PF, PD, Act)) is said to be TEST-respecting iff (PT’, Act) is MAY-respecting , 
(PF, PD, Act) is MUST-respecting , and 


1. p€ PT implies that (p,0) € PF. 
2. (p, F) € PF and (p, {Events,}) ¢ PD implies that p € PT. 
3. (p,D) € ming(PD) implies that p € PT. 


Definition 4.2.5 Let Act be a finite set of labels containing the distinguished symbol ,/. 
Then DAY is defined to be the set of all MAy-respecting pairs (PT, Act). Furthermore, 
oye” is the binary relation on DYA* such that for every (PT,, Act) and (PT», Act) in DNAY, 
(PT,, Act)LN** (PT,, Act) iff PT, C PT». 


Definition 4.2.6 Let Act be a finite set of labels containing the distinguished symbol \/. Then 
DNUST is defined to be the set of all MUST-respecting triples (PF, PD, Act). Furthermore, C'\0°" 
is the binary relation on DSS" such that for every (PF, PD,, Act) and (Py, PDs, Act) in 
DMUST (PF, PD,, Act)CM"*"(PFy, PD», Act) iff PF, > PF, and PD, > PDs. 


Definition 4.2.7 Let Act be a finite set of labels containing the distinguished symbol ,/. 
Then D757 is defined to be the set of all TEST-respecting pairs ((PT, Act),(PF, PD, Act)). 


Furthermore, C%,";" is the binary relation on D72°? such that for every (a, 3;) and (a2, 32) in 


DY", (a4, GEMS (aa, Bs) iff aM ag and By, CNETB., 


We first show that [-]M4*, [-JM°°7, and [-]7°°" map WT Nets to elements of DYAY, DNPS*, 
and Di*?", respectively. 


Theorem 4.2.8 Let (N, Act) be a WT Net. Then [(.N, Act)]M*Y € DYAY, [CN, Act)]M°S? € 
D'S? and [(N, Act)]"™=" © DEES", 


Proof. The proof for [-]“**Y is a simple consequence of Definition 2.1.2, the definition of 
pomset-traces, Proposition 3.2.14, and Proposition 4.2.1; the details are left to the reader. 

For the proof of [-JM°°7, let (PFiy, PDy, Act) = [(N, Act)]“"°". All the closure conditions 
in Definition 4.2.6 except for (2d) and (3c) follow directly from the definition of [-]“°°", the 
definition of WT Nets, Proposition 3.2.14, Proposition 3.2.15, and Lemma 4.2.1. 

To prove that closure condition (2d) holds, let some sequence ((p,,.D):n > 0) and some set 
R of prefixes of po be given that satisfy the hypothesis of (2d). For one case, suppose that all of 
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the (p,, D) € augment( pomset-divergences((.N, Act))). We recall that by definition of WT Nets, 
only a finite number of transitions are enabled under any reachable marking of (N, Act). Thus, 
it is possible for an unbounded number of concurrent events to be enabled after any prefix r of 
po only if either a divergence is enabled immediately after r or a divergence is enabled “along 
the way to r,” i.e., immediately after some pomset r’ with (r’, {Events,. +) C (r, {Events,}). In 
either case, it then follows easily from the definition of pomset-divergences that (po, DU R) € 
PDy. 

For the other case, Proposition 3.2.14 and Proposition 3.2.15 imply that there is some se- 
quence ((qr,D,):n > 0) such that every (q,,D,) € augment(pomset-divergences((N, Act))) 
and (qn; Dn) E (pn, D). Since by Proposition 3.2.14 and Proposition 3.2.17, 
augment ( pomset-divergences((N, Act))) is prefix-closed, we can assume without loss of gener- 
ality that for all n > 0, there is no event « € q, such that down,,(2) D d for some d € D,. 
Furthermore, since by hypothesis all events in p, — pp are maximal in p,, we can assume without 
loss of generality that every D,, is a non-empty set of prefixes of pp. Thus, there are only a 
finite number of distinct D,, and hence there is some subsequence ((@n,,Dn,): > 0) such that 
all the D,,, are equal to some non-empty set D’. If there is some x € py and some q,, such 
that 2 is not an event of q,,, there must be some d € D’ with d C down,,(«); therefore, by our 
assumptions on the g,, it follows that x is not an event of any of the g,,. We then have that 
for all n,, the set Events,, Events,, is identical. Furthermore, for every 2; € (Pp; — Po) — Unjs 
there must be some d € D’ with d C down,, (a;) = 7; for some r; € R. Thus, it follows 
by our assumptions on the g, that x; is not an event of any of the q,,. Furthermore, since 
augment ( pomset-divergences((N, Act))) is prefix-closed, we can assume without loss of gener- 
ality that q,, is a prefix of pp and that for all 7 > 0, @,,,, — © = dm, for some & € maz(qn,,,)- 


i+. 
It is now easy to see that either (i) all of the q,, are identical and are equal to some pomset 


q that is a prefix of po, and for every r; € R, there is some d € D’ with d C r; or (ii) there is 
some R’ C R such that R’ and the sequence ((qn,,.D'): k > 0) satisfy the hypothesis of (2d), 
and for all r; € R — R’, there is some d € D’ with d C r;. If (i) holds, it follows easily by our 
construction of the (q,,,Dn,) that (q, D’) C (p, DU R). If (ii) holds, it follows from the earlier 
case in this proof that (q,,,D’ U R’) € PDy. It follows from the construction of the q,, that 
(dno, D' UR’) E (po, DU R), proving this case. 

The proof of closure condition (3c) is quite similar and is left to the reader. 


For the proof of [-]7°°7, it is straightforward to see from the definitions of pomset-traces, 
pomset-failures, and pomset-divergences of WT Nets, the definition of [-]™’°*, and Proposi- 
tion 3.2.15 that the additional closure conditions hold. The proof of this case then follows 
easily from the previous cases. : 


We now observe that: 


Theorem 4.2.9 Let Act be a finite set of labels containing the distinguished symbol \/. Then 
(DMAY MAY), (DMUST oe), and (DUES? Cle?T) are complete partial orders. 


Proof. It is easy to see that (DNAY, CVA’), (DNUST CNUST) and (DyEeT, Cee’) are partial 
orders. 
For DS”, it follows immediately from the definition of MAy-respecting and DNA” that 


(0, Act) € DNAY and approximates every element (PT,) € DNAY with N = Act. Let A 
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be a directed subset of DY”, and let {(PT;, Act): 7 > 0} = A. It is very easy to see that 
(U{PT;: 7 > 0}, Act) € DY”, proving this case. 

For the proof of DUS? let PF@, be the set of all pomset-failures over Act, and let PD%,, be 
the set of all pomset-divergences over Act. It is easy to see that (PF%.,, PD%.,, Act) © DNUSt 
and approximates every element (PF, PD,%) € DNUS? with = Act. 

MUST 


We now show that every directed subset A of DTP" has a least upper bound in DYY 


Let {(PF;, PD;, Act): i> 0} © A, let PF, =A {PE;:i > 0}, and let PD, =(\{PD;: i> 0}. 


Clearly, it suffices to show that (Ply, PD,, Act) € DYES. All the closure properties follow 
trivially, except for (le), (2e), and (3a). 


(le) (p, F) € PF4, c € Act, and (p;c,0) ¢ PF, implies that (p, FU {c}) € PFy. 


(2e) (p, D) € mincg(PD,) for some D implies that p contains no /-labeled or y-labeled events. 


(3a) (p, fF’) € PFs and (p, {Events,}) ¢ PD, and p contains a \/-labeled event implies that 
there is exactly one such event, this event is the unique maximum event of p, and (p, Act) € 
PF. 


To prove (le), suppose for the sake of contradiction that for some ¢ € Act, (p, fF’) € PF 4, 
(p;¢,0) ¢ PF4, and (p, FU {c}) ¢ PF4. Then (p, F’) € PF; for all (PF;, PD;, Act) € A, (p, FU 
{c}) ¢ PF,, for some (PF,,, PD, Act) € A, and (p;c,0) ¢ PF; for some (PF;, PD;, Act) € 
A. Since A is a directed set, there would be some (PF,,PD,, Act) € A that is an upper 
bound of both (PFi,, PD», Act) and (PF;,PD;, Act). This would imply that (p, F) € PF,, 
(p, F U {c}) @ PF,, and (p;c,0) ¢ PF,, a contradiction since (PF, PD,, Act) € A C DNUST. 
Thus, (le) must hold after all for P’y. 

To prove (2e), it suffices to show that (p, D) € minc(PD,) implies that (p, D) € ming(PD;) 
for some (PF;,PD;, Act) € Act. Clearly, there are only a finite number of distinct pomset- 
divergences (p;,D;) with (p;,D;) C (p,D), and PD, does not contain any of them. Hence 
for every such (p;,D;), there is some (PF;,PD;, Act) € A such that (p;,D;) ¢ PD;. By 
compactness, there is then some (PF;, PDj;, Act) € A with (p, D) € mincg(PD;). 

The proof of (3a) is very similar and is left to the reader. 

The proof for DUET is a straightforward combination and adaptation of the proofs of the 
previous two cases. The details are left to the reader. : 


We now give a finite characterization of the compact elements of these domains: 


Definition 4.2.10 Let Act be a finite set of labels containing the distinguished symbol \/. A 
pair (PT, Act) is a finite candidate of DAY iff (PT, Act) © DYSY and PT is a finite set. 

A triple (PF, PD, Act) is a finite candidate of DYQST iff Act is a finite set of labels and 
there is some finite set PF g, of pomset-failures over Act and some finite set PDgy, of pomset- 
divergences over Act such that: 


e (PFain,@, Act) € DNS. 
e PD is prefix-closed. 
e (p,D) € PPgn implies that (p,0) € PFén. 
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e PD = augment(ertend4.1(PPfin)). 
e PF = PF gy U implied-failuress.,(PD). 


A tuple (a, 3) is a finite candidate of Dik?" iff (a, 8) € DAE", a is a finite candidate of 
DNAX, and ( is a finite candidate of DYSST. 


Lemma 4.2.11 Let Act be a finite set of labels containing the distinguished symbol ,/. Then 
all finite candidates of DNAY, DNSST, and DUET are compact elements of DYAY, DUST, and 


Dirt, respectively. 


Proof. For the proof for DY¥S*, let (PT, Act) be a finite candidate, and let A C DX” bea 
directed set such that (PT, Act)CNS” || A. Since PT is finite, it follows immediately from the 
directedness of A that there is some (PT, Act) € A with PT C PT;,,. 

For the proof for DYUST, let (PF,PD, Act) be a finite candidate, and let PF in, PP fin 
be given. We first show that (PF, PD, Act) is in fact an element of DUST. Proposition 4.2.1 
immediately implies that closure conditions (2a), (2b), and (2c) of Definition 4.2.6 hold for PD. 
Proposition 3.2.15, the given properties of PD, and the fact that (PF gn, 9, Act) € DMUST 
immediately imply that closure condition (2e) holds. To show (2d), suppose there is some 
(Pn, D) € PD for n > 0 and some r,,...,7, satisfying the hypothesis. By definition of PD 
and the finiteness of PDgy, clearly an infinite number of the (p,, D) must be augmentations of 
extensions of some common (p, D’) € PDgy such that (p, D’ U{ri,...,rr}) € PPan. It is then 
easy to show that the other closure properties of PD imply that (po, DU {ri,...,7x}) € PD; 
the details are left to the reader. The proof of closure condition (3c) for PF is similar. 

From the definition of DY°°", Proposition 4.2.1, and the fact that (PF gn, 9, Act) € DYPS, 
it is easy to see that all the other closure conditions hold, proving that (PF, PD, Act) € DNUST. 

Let A C DN&ST be a directed set such that (PF, PD, Act)CY°"(PF4, PDa, Act) = (JA. 

Let k = max{|p|: (p,0) € PF an}, and let m be the number of distinct pomsets in PF én, 
i.e, m= |{p: (p,0) € PFgn}|. Let U be the following set of pomset-failures: 


U = {lp, F): (p, F) is a pomset-failure over Act, (p,F) ¢ PF, and |p| <m-8*}. 


Clearly, U is finite and does not intersect PF’, and hence does not intersect PF4. The 
directedness of A then implies that there is some (PF;, PD;, Act) € A such that PF; does not 
intersect U. 

To show that PF; C PF, let (r,F,) be a pomset-failure over Act with (r, Ff.) ¢ PF. If 
|r| < m-8*, then clearly, (r, F.) ¢ PF;. Otherwise, when |r| > m-8*; we will show that there 
is some prefix r’ of r such that |r’| < m-8* and (r’,0) ¢ PF. Let q be a prefix of r such 
that (¢,0) € PF gn, and g is maximal with respect to these properties; clearly, such a pomset q 
exists since by Definition 4.2.10, (0,0) € PFan. Furthermore, by definition of k, it follows that 
lal < k. 

We obtain a prefix r’ of r by iterating the following procedure until termination. First set 
r’ to be the prefix of r with carrier {2 € Events, : depth,(x) <k +1}. Pick some a € r’ — q 
such that 2 is in some cut C of r’ of size strictly larger than & + 1. If there are & + 1 distinct 
@1,-+-,2e41 € (C — {x}) such that for all q’ with (¢q',0) € PF gn, down, (x) Nq = down. (21) N 
qd =... = down, (%p41) Aq, then remove from r’ the set of events {y € Events, : a <, y}, and 
re-set 7’ to be the resulting pomset. Repeat this procedure until there are no events x in r’ 
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satisfying the above conditions. Clearly, the resulting pomset r’ is a prefix of r. Furthermore, 
since PF gy, contains at most m different pomsets, each of size bounded by k, and each such 
pomset has at most 2* prefixes, it is easy to see that the size of any cut in r’ is bounded by 
m-2*-(k+1). Furthermore, since the depth of r’ is bounded by k +1, it follows that |r’| < m-8*. 


It is easy to see by construction of r’ that q is a prefix of r’ and that r’ # q; thus (r’,0) ¢ 
PF in by maximality of g. Suppose for the sake of contradiction that (r’, {Events,. }) € PD; then 
by Proposition 3.2.15 and the prefix-closure of PDgn, there is some (p, D,) € augment(PD gn) 
such that (p,D,) C (r’,{Events,.}). Thus, Definition 4.2.10 implies that (p,0) € PFin and 
hence that |p| < k. For every y € r— 1’, either (i) there is some x € r—r’ with x <, y, some 
cut C of r’, and some k + 1 distinct 21,...,a,41 € C such that for all q with (¢',0) € PFrn, 
down. (2) Ng = down, (21)N go =... = down, (ap41) V_ or (ii) depth,(y) > k + 1. Suppose 
(i) holds, then since p has concurrency bounded by k, there must be some such 2; with x; ¢ p. 
So, there is some d € D, with d C down,.(2;)M p, and so by hypothesis, down,.(a;) Np = 
down,:(x) Mp, and so d C down,:(a) C down,(y). If (ii) holds, then there must be some z € r 
such that z <, y and depth,(z) = k+ 1. If z € r’, then since the depth of p is bounded by 
k, z ¢ p and there is some d € D, such that d C down,.(z) C down,(y). If z ¢ r’, then 
there is some « <, 2% satisfying the conditions of (i), so there is some d € D, such that d C 
down,:(x) C down,(z) C down,(y). Thus, (p, D,) E (r, {Events,}), and so by Definition 4.2.6, 
(r, {Events,}) € PD, a contradiction since (r, F.) ¢ PF. Hence, (r’,{r’}) ¢ PD, and since 
(7,0) € PF én, it follows that (r’,@) ¢ PF and is thus in U. 

Now, (r,@) € PF, would imply that (7’,0) € PF;, since PF; is an element of DYUST and 
thus prefix-closed. But this would imply that PF; U 4 @, a contradiction. Thus, PF; C PF. 

We now give the proof for pomset-divergences. Let V be the following set of pomset- 
divergences: 


V = {(p, Dp): (p, Dy) is a pomset-divergence, (p,D,) ¢ PD, and (p,0) € PF gn}. 


Clearly, V is finite and does not intersect PD, and hence does not intersect PD,. The 
directedness of A then implies that there is some (PF;, PD;, Act) € A such that PD; does not 
intersect V and PF; C PF; C PF. 


We now show that PD; C PD. Let (r, D,) be a pomset-divergence over Act with (r, D,) ¢ 
PD. If (r,0) ¢ PF, then (r,0) ¢ PF;, and so (r,D,) ¢ PD; from the closure properties of 
elements of DYUS7. If (r,0) € PFgn, then (r,D,) € V, and so (r,D,) ¢ PD;. For the last 
case, we have that (r,) ¢ PF gn and (r,0) € PF. We define an extension (r’, {Events,.}) 
of (r, D,) as follows: let the carrier of r’ be the carrier of r together with some disjoint set 
of events {(d,2):d € D, and 1 <i< k+1}. The ordering and labeling of r’ agrees with r 
on events in r, all the new events (d,7) are maximal in r’, and for all (d,2), down,.((d,i)) = 
d. The labels of the (d,7) are arbitrarily chosen to be labels in Act. It is easy to see that 
(r, D,) C (r’, {Events, }) and that (r’,0) ¢ PF gin since (r,@) ¢ PF gn and by Definition 4.2.10, 
P Fin is prefix-closed. Suppose for the sake of contradiction that (r’, {Events,:}) € PD; then by 
Proposition 3.2.15 and the prefix-closure of PDgny there is some (p’, D,:) € augment(PDgn) with 
(p', Dp) C (r', {Events,}). Since the concurrency in p’ is bounded by k, there must be some 
(d,i) € r’—p’ for every d € D,. Hence, for every d € D,, there is some d’ € D,, with d' C d. Let 
p be p’ with all (d,2) events removed, and let D, = {d' € D,:: d’ C p}. Then it is easy to see that 
D, is non-empty, (p, D,) is a prefix of (p', Dp), and (p, D,) C (r, D,). But by Definition 4.2.6, 


~~ 
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this would imply that (r, D,) € PD, a contradiction. Hence, (r’, {Events,:}) ¢ PD after all, 
and since (r’,0) ¢ PFfin, it follows that (r’,0) ¢ PF. 

Now (r, D,) € PD; would imply by the closure properties that (r’, {Events,.}) € PD,, and 
hence that (r’,@) € PF;, a contradiction since PF; C PF. Thus, 


(PF, PD, Act)CM°3"(PF;, PD;, Act) € A, 


proving this case. 
The proof for D/P" is a simple consequence of Definition 4.2.7 and the previous two cases. m 


Lemma 4.2.12 Let Act be a finite set of labels containing the distinguished symbol ./. For 
every (PT, Act) € DYAY, there is a directed set A, C DYAY of finite candidates of DYAY with 
LJA, = (PT, Act). For every (PF, PD, Act) € DY3S", there is a directed set Ay C DYIPT of 
finite candidates of DY°S? with |] A» = (PF, PD, Act). For every ((PT, Act), (PF, PD, Act)) € 
Dirt, there is a directed set Az C Di?" of finite candidates of Dif?" with L| A3 = 


(PT, Act), (PF, PD, Act)). 


Proof. We first give the proof for DMA’. For every n > 0, we define the n"" approximation, 


(PT,,, Act), to (PT, Act) as follows: 
PT, = {p € PT: |p| < n} 


We recall that by definition of DXA”, Act is finite. It is then easy to see that each (PT), Act) 
is a finite candidate, each (PT,,, Act)CN*” (PT, Act), and that the (PT,,, Act) form a chain in 
DNA. Thus, L{(PT,,, Act): n > O}CNS” (PT, Act). For the other direction, let p € PT; then 
p € PT),|, proving this case. 

We now prove the case for DMUS?. For every n > 0, we define n™ approximation, 

(PF,, PD,, Act), to (PF, PD, Act) as follows. The idea is that each n‘" approximation is 
generated by the set of pomset-failures and pomset-divergences in PF’ and PD whose depth 
is bounded by n. However, PF and PD may have unbounded concurrency and hence may an 
infinite number of pomsets of any given depth n. In order to ensure that each PF fy, and 
PDP are finite, we use only the minimal elements of PF’ and PD; in order to ensure that 
PFen and PPgy satisfy the conditions in Definition 4.2.6, we close under prefixing. 

Since we want the resulting finite candidates to approximate (PI, PD, Act), we need to 
ensure that all pomset-failures and pomset-divergences in PF’ and PD are generated by the 
augmentation and extension closure of PF gy and PPgy. Thus, in PF gn and PDgn, we extend 
past all pomsets of depth equal to n by throwing in all failure sets and throwing in all divergences 
that causally follow any chain of length of n. 


PE’ 


{(p, F) € PF: pis a prefix of some qg such that (¢,0) € PF, 
and either (q, {Events,}) ¢ PD or (¢,D) € minc(PD) for some D} 


PFinn = augment({(p, F) € PF’: depth(p) < n} 
U {(p, F): (p,0) € PE", depth(p) =n, and F C Act}) 
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PPinn = {(p, DU D'): (p,0) € PFinn, DU D' #0, D' C {down,(x) U {x}: depth, (x) = n}, 
and either (p,D) € PD or D = 9} 


PD,, = augment(extend4e:(PDgin-n)) 


PF, = PF én» U implied-failures 4.,(PDn) 


We first show that (PF, PD,, Act) is a finite candidate, recalling that by Definition 4.2.6, 
Act is finite. Therefore, an infinite number of distinct (p;,0) € PF gn, would imply unbounded 
concurrency in PF fp», and so the closure conditions (2d) and (3c) of Definition 4.2.6 would 
immediately contradict the definitions of PF’ and PF gy. Thus, PF gy, must be finite. 
We now show that (PFgnn,9, Act) € DYSST. It follows easily from the closure conditions 
of PF and Proposition 4.2.1 that closure conditions (1a)—(1d) hold for PF gn». For closure 
condition (le), suppose that (r, Ff) € PFin-n and c € Act and (r, FU {c}) € PF ann. Then 
r > p of some (p, fF’) € PF’ with depth(p) < n. Since (r, FU {c}) ¢@ PF ann, it is easy 
to see that (p, FU {c}) ¢ PFgn, and depth(p) < n. Furthermore, the closure conditions 
of PF, PD and the definition of PF’ imply that (p,F) € PF and (p,F U {c}) ¢ PF, and 
hence that (p,{Events,}) ¢ PD. Moreover, the closure condition (le) on PF implies that 
(p;¢,0) € PF. Clearly, p;e < r;e¢ and since depth(p) < n, it follows that depth(p;c) < n. 
If (p;¢,0) ¢ PF’, then by Proposition 3.2.15 and the definition of PF’, there must be some 
(q, Dy) € mine(PD) such that ¢ 4 p;e and (q, Dz) C (p;e, {Events,..}). Hence q is a prefix of 
p, and so (q,D,) € (p, {Events,}), implying that (p, {Events, }) € PD, a contradiction. Thus, 
(p;¢,0) € PF’, from which it is clear that (r;¢,0) € PF ann. 

It follows easily from the prefix-closure of PD and the prefix-closure of PF gy-, that PDfny 
is also prefix-closed. The construction of (PF, PD,, Act) then immediately implies that it 
satisfies Definition 4.2.10 and hence is a finite candidate. 

We now show that (PF,,PD,, Act) N°" (PF, PD, Act). Let (q¢,D,) € PD, and using 
Proposition 3.2.15 and the prefix-closure of PD, let (r, D,.) € minc(PD) such that (r, D,) C 
(q,D,). Then (r,D,) € PF’. If depth(r) <n, then clearly, (r, D,) € PD, and hence so is 
(q,D,). If depth(r) > n, let r’ be the (necessarily unique) maximal prefix of r of depth n and 
let D.. = {d € D,: d' C r’}. By the closure conditions of PF and PD, (r’,@) € PF and 
(r',D,) € PD if D, is non-empty. For one case, suppose that D,: is non-empty. Then by 
Proposition 3.2.15, there is some (r’, D.v) € minc(PD) such that (r’, D.v) E (r’, D.), and 
so it is easy to see by the prefix-closure of PF and the definition of PF gn» that (r”,0) € 
PFiinn. It is easy to show that (r”, Dw U {down (a) U {a}: depth... (7) = n}) € PPgnn and 
(rn, Din Uf down, (a@)U{a}: depth, (a) = n}) C (r', D, U{down,:.(a)U {a}: depth,. (x) = n}) C 
(r, D,) E (¢, Dz), so (q, Dz) € PD,. The details are simple and are left to the reader, as is the 
other case, which is similar. Thus, PD C PD,. 

To show that PF C PF,, let (¢,F) € PF. If (¢,{Events,}) € PD, then (q¢, {Events, }) € 
PD,, and hence (q,f) € PF,. Otherwise, (¢,/’) € PF’. For one case, if depth(q) < n, 
it is clear that (q,f’) € PF. For the other case, using a proof similar to that for pomset- 
divergences, it is easy to show that (q, {Events,}) € PD,, and hence (q, Ff’) € PF; the details 
are straightforward and are left to the reader. Thus, (PF, PD,, Act)C\ 7?" (PF, PD, Act). 
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To show that the set of n*®-approximations forms a directed set, we show that for every 
n > 0, (PF,,PD,, Act)ONP" (PFrai,PDn4i, Act). Let (¢,D,) € PDnsi; then (¢,D,) is 
an augmentation of an extension of some (7, D,) € PDPgnn4.i. For one case, suppose that 
depth(r) <n. Then it is easy to see that (r, D,) € PD, so (r, D,) € PD, by the earlier proof, 
and therefore so is (¢,D,). The proof of the other case, when depth(r) = n +1, is very similar 
to the proof that PD > PD,, and the details are left to the reader. Thus, PDnj4, C PD,. 

To show that PFi41 C PF, let (¢, Ff) € PFryi. If (¢, {Events,}) € PD,41, then by the 
above case, (q,{Events,}) € PD,, and hence (q, fF) € PF,. Otherwise, if depth(q) < n, it is 
clear that (¢, F’) € PF,,. For the other case, using a proof similar to that for pomset-divergences, 
it is easy to show that (q, {Events,}) € PD,, and hence that (¢, F) € PF; the details are left 
to the reader. Thus, (PF, PD,, Act)eyeP" (PFisi, PDn4i, Act). 

For the last part of the proof, we show that (PF, PD, Act) = L]{(PF,,, PD,, Act): n > 0}. 
One direction follows immediately from the fact that every (PF,,, PD,, Act) EN°°" (PF, PD, Act). 
For the other direction, let (p,D,) € \{PDnz:n > O}, and let k = depth(p). Then (p,D,) € 
PD;4; implies that (p,D,) is an augmentation of an extension of some (q,D,) € PDéin-441- 
Since augmentation and extension only increase depth, depth(q) < k, from which it is easy 
to see that (q¢,D,) € PD and hence that (p,D,) € PD. For the other case, let (p, F) € 
(WPF: n > 0}, and let & = depth(p). Then (p, F’) € PF, 4, implies that (p, F) € PFfn-p4i 
or (p,{Events,}) € PDy41, both of which imply that (p,F) ¢ PF. Thus, (PF,PD, Act) = 
LI{(PF,, PD,, Act): n > 0}, proving this case. 

We now prove the case for D/,f?". For every 1 < n < m, we define the (n,m) approxi- 
mation, (PF(,m),PD,, Act) to (PF, PD, Act) as follows. First, PF’, PPfinn, PD, are defined 
as in the proof of the above case. Furthermore, in order to appropriately define the approx- 
imate pomset-traces, we may also need to replace some non-maximal pomsets of depth n in 
PF — PF", Since we only want to construct finite sets of pomset-traces, we define the (n, my" 
approximation by replacing all such pomsets of depth bounded by n and size bounded by m. 
The formal definitions are as follows: 


PFiin-(n,m) = PF finn U augment({(p, F) € PF: p € PT, depth(p) <n and |p| < m}) 


PT (n,m) = {p: (p, 9) € PF n(n, m)} 


PF(nm) = PF §in-(n,m) U tmplied-failures 4.4(P Dn) 


The proof is a straightforward combination and adaptation of the proofs of the above cases; 
the details are left to the reader. : 


We now have: 


Theorem 4.2.13 Let Act bea finite set of labels containing the distinguished symbol \/. Then 


DMAY, DNSST, and DieP? are algebraic cpo’s. 


The theorem is a simple consequence of the definition of compact elements, Lemma 4.2.11, 
and Lemma 4.2.12 (cf. [18]). 
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pMay 


We now show that all compact elements are definable as the [ meanings of WT Nets: 


Theorem 4.2.14 Let Act be a finite set of labels containing the distinguished symbol \/. For 
every compact element (PT, Act) € DA”, there is some WT Net (N, Act) with [(N, Act)]“*Y = 
(PT, Act). 


Proof. Let (PT, Act) be a compact element of DY. As a simple consequence of 
Lemma 4.2.12 and the definition of compactness (cf. [18]), (PT, Act) is a finite candidate of 
DAY. Thus, PT is finite set of pomsets over Act. 

We first build a tree whose nodes are labeled with valid pairs of the form (p,x,), where 
p € PT and x, € mazx(p) whenever p is non-empty and x, =e otherwise. We use * as a 
wildcard character. 

The tree is recursively built as follows. The root node is labeled (0,). A node labeled 
(p,*) has an arc to a node labeled with some valid pair (p’, 2») iff p' — x» = p. Since PT is 
prefix-closed, it is easy to see inductively that there is some (p, *)-labeled node in the tree for 
every p € PT. Furthermore, it is easy to see that the tree is finite, and hence is also finitely- 
branching. Since every pomset implicitly represents its isomorphism class, we assume without 
loss of generality that any two children of any given node of the tree will have distinct second 
components in their labels, i.e., if the labels of the children are respectively (+,2) and (*, y), 
then 2 and y are distinct symbols. 

From this tree, we will recursively construct a loop-free net N in which every place has 
in-degree of at most one. This net preserves concurrency of events occurring within any branch 
of the tree; however, events on different branches of the tree will always be represented as 
conflicting transitions. 

We now recursively construct the following net from the tree, level by level. For the first 
level, we begin with a net with one place, which is initially marked. For every child s of the 
root, we add to the net a new l,(a)-labeled transition, named s, where the label of node s in 
the tree is (p,x). The single initially marked place is attached as the pre-set of each transition 
s. All of these transitions have empty post-sets. 

For the induction step, we show how to define the (k + 1)-level of the tree from the k-level 
segment of the tree. For every node s in the k' level of the tree and each child s’ of node s, 
we construct a new l,/(2’)-labeled transition, named s’, where the label of node s’ in the tree is 
(p', 2’). 

It is easy to see that for every maximal cause « € Events, of 2’, there is a unique (*, x)- 
labeled node s” along the path from the root to s’. We then hook up transition s’ to the 
(already existing) transition s”. This is accomplished by creating a new, unmarked place for 
transition s” and adding it both to the post-set of transition s” and to the pre-set of transition 
s'. If x € min(p’), then a new initially marked place is added to the net and is attached as the 
preset of transition s’. Finally, transition s’ is placed in conflict with every transition v in the 
net such that node v is not a predecessor of s’ in the tree. This is accomplished by creating 
a new, initially marked place for every such transition v, and putting this new place in the 
pre-sets of both transition s’ and v. 

It is then straightforward to show inductively that PT’ is the set of pomset-traces of the 
net; the details are left to the reader. 

Let Act be the alphabet of the net; clearly, all transitions of the net have labels from Act. 
Since the original tree is finite, an inductive argument shows that the net is l-safe, has a finite 
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number of initially marked places, and that all places and transitions have finite in-degree and 
out-degree. Thus, only a finite number of transitions are enabled under any reachable marking 
of the net. However, one complication is that the \/-labeled transitions of N may not clean out 
all the tokens in the net. To correct this, we first recall that any pomset in PT can contain 
at most one ,/-labeled event, which must be the sole maximum event in the pomset. We then 
observe that any \/-labeled transition, s, in the net, is thus enabled only after firing exactly the 
transitions corresponding to each of the predecessors of node s in the tree. By construction of 
the net, these transitions can only be fired in a sequence that is consistent with the ordering of 
the pomset corresponding to the node s. By Theorem 3.2.3, every such firing sequence results 
in the same final marking; thus, there is exactly one reachable marking of the net under which 
transition s is enabled. A simple modification of the preset of each \/-labeled transition to 
include all such corresponding marked places then yields the desired WT Net. : 

We now show that all compact elements are definable as the [-]“"°" meanings of WT Nets: 
Theorem 4.2.15 Let Act be a finite set of labels containing the distinguished symbol ,/. 
For every compact element (PI, PD, Act) € DS", there is some WT Net (N, Act) with 
[(N, Act) ]M°°T = (PF, PD, Act). 


Proof. Let (PF, PD, Act) be a compact element of DYUS?™. As a simple consequence of 
Lemma 4.2.12 and the definition of compactness (cf. [18]), (PF, PD, Act) is a finite candidate 
of DNSST. By Definition 4.2.10, Act is a finite set of labels and there is some finite set PF gy, of 
pomset-failures over Act and some finite set PD, of pomset-divergences over Act such that: 


e (PFain,@, Act) € DNS. 

e PD is prefix-closed. 

e (p,D) € PPgn implies that (p,0) € PFén. 
e PD = augment(extend4.1(PPfin)). 


e PF = PF gy U implied-failures,.,(PD). 


We first build a tree whose nodes are labeled with valid triples of the form (p, Dp, %p») or 
(p, Fy, %p), where (p,D,) € PDgn or (p, F,) € PF an, respectively, and x, € mazx(p) whenever 
p is non-empty and 2, =e otherwise. Furthermore, we require that F,, = F’ — A for some F” 
and A such that (p, F’) € PFgn, (p, F’ U {c}) ¢ PF en for all ¢ € Act —F’, 0 C A C Act, and 
for every a € A, there is some p’, € p with a such that (p1,,0) € PFan. We use * as a wildcard 
character. 

The tree is recursively built as follows. The root node is labeled (@, Act —init(PF én), ¢). 
A node v labeled (p, F,,2%,) has an a-labeled arc to a node labeled with some valid triple 
(p', Fy, @pr) or (p', Dy, Xp) iff (i) a € Act —F,, (ii) l,(ep) = a, (iii) p— v, = p, and (iv) for 
every ancestor w of v, if (¢, £,,*) is the label of w, then either down, (2) Z q or a ¢ Fy. 

We first show that for every node labeled (p, F,,2,), there is an a-labeled arc emanating 
from the node iff a € Act —F,. One direction follows immediately from the construction of the 
tree. For the other direction, let a € Act —F,, then by definition of the valid triples and the 
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closure properties of PF gn, it is straightforward to show that (p;a,@) € PF. Let x, be the 
(unique) maximum event of p; a; it is then easy to see that there must be an a-labeled arc from 
the (p, F,, %,)-labeled node to a (p;a, F’, x,)-labeled node for some F”. 

We now show that for every (p,D,) € PDPfn, there is some node in the tree with label 
(p, Dy, tp), and for every (p, I’) € PF gm, there is some node in the tree with label (p, F,, 2») 
for some fF, D F. We prove the lemma by induction on the size of p. The base case of 
p = @ follows easily from the closure properties of PFgn. For one case of the induction step, 
let (p, fF’) € PF fin, let x,» € maz(p), let a be the label of x,, and choose some fF, D F with 
(p, f,) € PF fim such that (p, F, U{c}) € PF gn for all ¢ € Act —F,. Since PF gn is prefix-closed, 
there is by induction some node v in the tree with label (r, F.,2,), where r = p—a,. From 
the construction of the tree, we can assume without loss of generality that a ¢ F,. If some 
(qi, 4,5 %q,)-labeled node is an ancestor of v with a € F,, and down,(x,) C q, let it be the 
least such ancestor. Let gj be p restricted to g; U {x,}; clearly, gq is a prefix of p, and hence 
(¢;,0) € PFin. Thus, there is a (q;, F,, — {a}, «,,)-labeled node reachable by the same path 
as the (q;, F,,,%, ,)-labeled node, and there is a path from this (q;, Fy, — {a}, z,,)-labeled node 
to some (r, F.,2,)-labeled node. By repeating this argument down the path to (r, F,, 2,), it is 
easy to prove that there is a-labeled arc from the (r, F,, 2,)-labeled node to a (p, F,, z,)-labeled 
node. The induction step for (p, D,,z,)-labeled nodes is similar and is omitted. 

Furthermore, it is easy to see that the tree is finitely branching. Since every pomset implic- 
itly represents its isomorphism class, we assume without loss of generality that any two children 
of any given node of the tree will have distinct third components in their labels, 7.e., if the labels 
of the children are respectively (*,*,2) and (*,*,y), then 2 and y are distinct symbols. 

From this tree, we will recursively construct a loop-free net N in which every place has in- 
degree of at most one. This net preserves concurrency within any branch of the tree; however, 
transitions arising from different branches on the tree will always be conflicting. 

We now recursively construct the following net from the tree, level by level; the procedure 
is analogous to that in the proof of Theorem 4.2.14. For the first level, we begin with a net 
with one place, which is initially marked. For every child s of the root, we add to the net a new 
L,(@)-labeled transition, named s, where the label of node s in the tree is (p,*,2). The single 
initially marked place is attached as the pre-set of each transition s. All of these transitions 
have empty post-sets. 

For the induction step, we show how to define the (k + 1)-level of the tree from the k-level 
segment of the tree. For every node s in the k' level of the tree and each child s’ of node s, 
we construct a new J,,(2’)-labeled transition, named s’, where the label of node s’ in the tree 
is (p’,*, 2’). It is easy to see that for every maximal cause x € Events, of 2’, there is a unique 
(*, *,@)-labeled node s” along the path from the root to s’. We then hook up transition s’ to the 
(already existing) transition s”. This is accomplished by creating a new, unmarked place for 
transition s” and adding it both to the post-set of transition s” and to the pre-set of transition 
s'. If x € min(p’), then a new initially marked place is added to the net and is attached as the 
preset of transition s’. Finally, transition s’ is placed in conflict with every transition v in the 
net such that node v is not a predecessor of s’ in the tree. This is accomplished by creating 
a new, initially marked place for every such transition v, and putting this new place in the 
pre-sets of both transition s’ and v. 

The procedure is analogous for every node s’ labeled with some (p’, D,, p), except that in 
addition, a new divergence (i.e., a T-transition in a self-loop) corresponding to each d € D,. is 
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hooked up in the obvious analogous manner. 

It is then straightforward to show inductively that for any (p, F,,2,)-labeled node in the 
tree, there is a pomset-trace corresponding to p after which exactly the actions in Act —F;, are 
enabled. Thus, all pomset-failures in PF, are actual pomset-failures of the net. Furthermore, 
PD ¢m is exactly the set of pomset-divergences of the net. 

However, for some (p, F;,,2,)-labeled nodes or some (p, D,, x,)-labeled nodes, the marking 
of the net reached after firing some proper prefix of p may generate a failure set that is “too 
big.” We thus patch up the net by iterating the following procedure: pick some (p, F,, &p)- 
labeled node or some (p, D,, %»)-labeled node, some proper prefix q of p, and some branch of 
the tree starting at some (q, F,,2,)-labeled node, and prune this branch so that each of its 
nodes are labeled with (r, F.,2,) for some r such that down,(a) D gq for all « € r—q. It is 
straightforward to show that there exists some such pruned branch whose leaves are leaves of 
the original tree. Now, for every occurrence of g in the net that has an incorrect failure set, 
add transitions following q so that it emulates the pruned branch. It is straightforward to show 
firing g in the resulting net always leads to a correct failure set and that the failure sets of 
the markings corresponding to the nodes of the tree are unaffected. Each iteration reduces 
the number of distinct pomsets g with incorrect failure sets, and hence PF gy, and PDgy are 
respectively exactly the pomset-failures and pomset-divergences generated by this net. 

An inductive argument then shows that the net is 1-safe, has a finite number of initially 
marked places, and that all places and transitions have finite in-degree and out-degree. Thus, 
the labeled transition system of the net is finitely branching. However, one complication is that 
the \/-labeled transitions of N may not clean out all the tokens in the net; this difficulty is 
resolved exactly as in the proof of Theorem 4.2.14. It is then easy to show that the resulting 
net is a WT Net (N, Act) such that [(N, Act)]Y°°" = (PF, PD, Act). = 
pest 


We now show that all compact elements are definable as the [ meanings of WT Nets: 


Theorem 4.2.16 Let Act be a finite set of labels containing the distinguished symbol \/. For 
every compact element ((PT, Act), (PF, PD, Act)) € DUEPT, there is some WT Net (N, Act) 
with [(NV, Act)]™*°°* = ((PT, Act), (PF, PD, Act)). 


Proof. Let ((PT, Act), (PF, PD, Act)) be a compact element of DEPT. As a simple conse- 
quence of Lemma 4.2.12 and the definition of compactness (cf. [18]), ((PT, Act), (PF, PD, Act)) 
is a finite candidate of DAf?*. Thus, (PT, Act) is a finite candidate of DYS* and (PF, PD, Act) 
is a finite candidate of DUS". Let PF an, PPfin be the finite generating sets of PF’, PD as given 
by Definition 4.2.10. 

Using the same technique as in the proof of Theorem 4.2.15, we first build a tree whose 
nodes are labeled with valid triples over PF gn and augment(PDgn), rather than PD. In 
addition, nodes can also be labeled with valid pairs (p,z,), where p € PT, (p,0) ¢ PFin, 
and z, € mazx(p). The nodes labeled with valid pairs are connected up as follows. A node 
labeled (p,D»,%p) has an a-labeled arc to a node labeled with some valid pair (p’,z,-) iff 
(p, Dy) © (p',t{p'}), p! -— tp = p, and I,.(a,) = a. Finally, a node labeled (p,2,) has an 
a-labeled arc to a node labeled with some valid pair (p’,z,-) iff p’ — a, = p and l,)(ap) = a. 

By the closure conditions of Definition 4.2.7, (p,@) € PF for every p € PT. Hence, (p,9) ¢ 
PFrn for some p € PT, then there must be some (r,D,) € PD such that (p, {Events,}) € 
augment(extend,({r, D,))). Thus, (p, F) € PF for every F C Act. By Proposition 3.2.15 and 
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the prefix-closure of PPgn, there must be some (r’, D,.) € augment(PDgn) with (7’, D,.) C 
(p, {Events,}). It is then easy to show inductively that for every p € PT, the tree contains 
some node labeled with either (p, *,*) or (*,*), where * is the wildcard symbol. 

The construction of the net is then the obvious straightforward combination of the construc- 
tions in the proofs of Theorem 4.2.14 and Theorem 4.2.15, as is the remainder of the proof. m 


The operations on DYAY and DNS are given in Definition 3.2.28 and Definition 3.2.29, 
respectively. We do not restate the definitions here. Let the operations on Dif?" be the 
natural pairwise combination of the operations on DY&Y and DNUST. Then: 


Theorem 4.2.17 Let Act bea finite set of labels containing the distinguished symbol \/. Then 


DAY, DYSPT, and DiEP? are closed under prefixing, restriction, renaming, hiding, sequencing, 


internal choice, CCS choice, non-communicating parallel composition, CSP-style parallel com- 
position, CCS-style parallel composition, split refinements, and choice refinements. Further- 
more, all of these operations are continuous functions on the respective domains. 

Let Act’ be a finite set of labels containing \/. Then grow Act’ and shrink Act’ are con- 


p : MAY (MAY MUST --MUST TEST TEST MAY (MAY 
tinuous functions from (Digy’,Gic: ), (Ditce Gace)» and (DArP*, Lace) to (Das, Gan’), 


MUST ;-—~MUST TEST ,;-TEST : 
( Act! 9» =Act! )s and ( Act! > =Act! )s respectively. 


The proof for DY“ is completely routine but tedious and is left to the reader. 


It is routine but tedious to verify that DNUS? is closed under all of the operations except 


alphabet expansion and shrinking, grow Act’ and shrink Act’ are continuous functions from 


(Dee eee TY to (DNUET, CMs"), all of the operations are monotone, and that all the opera- 
tions except hiding and CCS-style parallel composition are continuous. The details are left to 


the reader. The proof for Di?" is a simple consequence of Definition 4.2.7 and the continuity 


of the operations on DAY and DYNO. 
We prove the case for hiding on D\{S°", from which the proof for CCS-style parallel compo- 
sition follows easily. The proof for hiding is a generalization of that in [8] for failures semantics, 


and uses the following lemma: 


Lemma 4.2.18 Let (¢,D,) be a pomset-divergence over a finite alphabet Act, let a € Act, 
and let PDS = {(pn, Dn): n > 0} be an infinite set of pomset-divergences such that (pp, Dpr)— 
a = (q,D,) for all (p,,D,) € PDS. Then there is some pomset-divergence (ro, D U R) with 
(ro, DU R)—aC (¢, D,) and some infinite sequence r;,r2... of pomsets such that for i > 0: 


e 7; is a prefix of rj4y. 
e All events in r; — ro are a-labeled. 


e For every d € R,r; contains an t-length chain of a-labeled events whose downward-closure 
restricted to ro is a subset of d. 


e (7r;, D) is a prefix of some (p,,,Dn,) € PDS. 


Proof. Let (ro, D) be a pair consisting of a pomset, ro, together with a possibly empty 
set, D, of its prefixes such that 


e (ro, D) is a prefix of an infinite number of pomset-divergences (py,,Dn,) € PDS. 
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e For every pair (76, D’) that is a prefix of an infinite number of pomset-divergences in PDS, 
if (ro, D)— a is a prefix of (rj, D’)— a, then (ro, D)— a and (rg, D’)— a are isomorphic. 


Clearly, (0,0) is a prefix of every pomset-divergence. Since the size of all such (pj, D’)— a 
is bounded by (gq, D,) it is easy to see that a pomset-divergence (po, D) exists that satisfies the 
above conditions; however, it is not necessarily unique. 

Let (q', Dy) = (ro, D)— a for some such pair (ro, D); clearly, (¢’, Dy) is a prefix of (q, D,). 
Let R be the following set of downward-closed subsets of rp: 


R, = {down,,(d): d € D,, down,,(d) € D, and d C q’} 
Ry = {down,,(down,(x)Nq'):« €q-q'} 
R = Ry U Ro 


It is straightforward to show that the maximality conditions of (ro, D) imply that (ro, D) is 
extended in PDS by concurrent chains of a-labeled events of unbounded length in PDS, and 


whose set of downward-closures is exactly R. It is also easy to see that (rp, DUR)—aL (¢,D,), 
proving the lemma. 7 


We now prove the continuity of the hiding operation on DYPST: 


Lemma 4.2.19 Let Act be a finite set of labels containing the distinguished symbol \/. Then 


the hiding operation on DYSS" is continuous. 


Proof. One direction follows immediately from the easy observation that hiding is a mono- 
tone function. For the other direction, let A be an infinite chain in DYUS?, let {( PF, PD, Act) : 
k € Ia} def 4 for some index set I4, and let (PF'4,PD,4, Act) = LJA. For one case, let 
(q,Dq) © (UPD, - atk © In}. Lemma 3.2.15 and the closure properties of the PD; imply 
that for every PD, with k € I4, there is some (p*, D*) € PD; U PF, and some possibly empty 
set R® of downward-closed subsets of Events,« such that (p*, D* U R*) is a pomset-divergence, 
(p*, D'U R*\—a E (gq, D,), and for all n > 0, there is some pk with (pi, D) € PD, U PF, such 
that: 


bd (p*, RB) CL (ph, {Events,« }). 


e All events in p* — p* are a-labeled. 


e For every d € R*, there is some n-length chain of a-labeled events in p* — p* whose 
downward closure restricted to p* is d. 


Furthermore, we can clearly assume without loss of generality that every p* has size bounded 
by |p*| + [RS] xn. 

Let PDS be the set {(p*, D* U R*):k € Iy}. If PDS' is finite, then it is easy to see 
that an infinite number of (PT,, PF, PD,, Act) € A have the same (p*, D*, R*) and the same 
sequence pi,p5,.... Since A is a chain, this (p*,D*,R*) and this sequence pi, ps,... must 
occur in every element of A, from which it follows easily that (¢,D,) € PDa. If PDS’ is 
infinite, then clearly there must be some infinite subset PDS’ of PDS such that for all (p', D'U 
R'), (p', DIU RI) € PDS, (p', DU R')—a = (p’, D) U R’)— a. Thus, Lemma 4.2.18 gives the 
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existence of a prefix (ro, D) of some (p*, D’ U R*) € PDS, some set R of prefixes of ro with 
(ro, DU R)— aC (q,D,), and some appropriate sequence 71,72... such that every (7r;, D) is a 
prefix of some (p', D‘'UR') € PDS. Thus it follows by closure properties of the (PF;, PD;, Act) 
that (r;,D) € PD; U PF;. The definition of PDS and the chain condition then immediately 
implies that (ro, D) and all of the (r;, D) are in PD,, U PF, for every (PFj,, PD, Act), from 
which it follows easily that (q¢,D,) € PDa. 

The proof that ){PF,—a:k € I,} C PF, is very similar and is left to the reader. ] 


4.3 The Split Semantics 


This section gives abstract characterizations of the [-JNy;., and [-]ij;., semantics on WT Nets, 
shows that they form algebraic cpo’s, and proves that all the corresponding process operations 
from Chapter 3 are continuous functions on these cpo’s. 

We define (DYOFT Pe CNOTT PME) as a sub-partial-order of (DNUST, CNUST) corresponding 
to [-]“°°" meanings of y +), dupl-split nets. In order to ensure that every compact element of 
Diy” is definable as the [-]Mie) meaning of some WT Net, we require that Dy "7 
satisfy some additional closure conditions. 

First, we must ensure that Act is a “dupl-split alphabet,” and that PF and PD are closed 
under “Q-splitting” any ao-labeled events. Dually, any minimal pomset-failure or pomset- 
divergence must be the result of “O-splitting” some /-2-respecting pomset. We note that the 
definition of 1-2-respecting ensures that no a,-labeled event must be a maximal cause of any 
divergence. Furthermore, any maximal a,-labeled events corresponds to “half-fired” a -events 
and hence can be relabeled with ao. Also, firing any a,-labeled event additionally enables only 
a do-labeled event. The special role of \/ and 7 is also reflected in the closure conditions. In 


particular, (le) reflects the presence of initial T-moves. 


Definition 4.3.1 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,a2: a4 € 
Act —{y, /}} U{V, 7}. A triple (PF, PD, Act’) is said to be MUST-split-respecting iff it is a 
MUST-respecting triple and satisfies the following properties: 


1. Additional closure properties of PF: 


(a) O-split(PF) C PF. 
(b) (p, F) € 1-2-respect(PF’) and p’ € o(p) implies that (p',0) € PF, where o is the 
sequence of choice refinements (chotce(a, a,,a,): @ € Act —{7, V/}). 


(c) (p, F) € PF, ¢ € Act —{7,V/}, and (p, FU {c:}) ¢ PF implies that there is some 
p €p with c, such that (p', F — {c2}) € PF. 


(d) (y, Act) € PF. 
(e) (0, FU {a}) € PF and (a,0) € PF implies that (0, FU {a,y}) € PF. 


2. Additional closure properties of PD: 


(a) (p,D) € ming(PD) implies that (p, D) € augment(0-split( 1-2-respect(PD))). 
(b) 0-split(PD) C PD. 
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(c) (p,D) € 1-2-respect(PD) and p’ € o(p) implies that (p’,D) € PD, where a is the 
sequence of choice refinements (chotce(a, a,,a,): @ € Act —{7, V/}). 


(d) (p,D) € mine(PD) implies that p contains no y-labeled events. 


3. Additional mixed properties: 


(a) (p, fF’) € PF and (p, {Events,}) ¢ PD implies that 
(p, EF’) € augment ( 0-split( 1-2-respect(PF’))) 

(b) (p, F) € PF and (p, {Events,}) ¢ PD and p contains a \/-labeled event implies that 
this is the sole event in p. 

(c) (p, F) € PF, (p,{Events,}) ¢ PD, and F'N {ao,a,} # @ for some a € Act —{7,/} 
implies that F’ D {do, a;}. 


(d) (p, F) € 1-2-respect( PF), (p, {Events, }) € PD, and a, € F for some a € Act —{y, /} 
implies that no event in p is a,-labeled. 


Definition 4.3.2 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,a2: a € 
Act —{y, J/}} U{/,y}. A pair ((PT, Act), (PF, PD, Act’)) said to be TEST-split-respecting iff 
(PT, Act) is MAY-respecting , (PF, PD, Act’) is MUST-split-respecting , and 


1. p € PT and p’ € o(6(p)) implies that (p’,0) € PF, where 6 is the sequence of choice 
refinements (choice(a.ag,a’): @ € Act —{7, V/}), 7 is the sequence of split refinements 
(splitiara,,az)1 © € Act —{7, V}), and all the a’ are distinct symbols not in ActU Act’. 


2. (p, F) € PF and (p,{Events,}) ¢ PD implies that there is some p’ € PT such that 
p © augment(o(6(p’))), where o and 6 are as above. 


3. (p,D) € ming(PD) implies that there is some p' € PT’ such that p € augment(a(4(p’))), 
where o and 6 are as above. 


Definition 4.3.3 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a1,a,: a4 € 
Act -{y,J}} UL /,7}. Then DYE?" is the restriction of DNYF7 to MusT-split-respecting 


MUST-split-y : —MUST MUST-split- tee split- Y 
triples and C4; is the restriction of C4 .;; to Dy x Dy, 


Definition 4.3.4 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,d2: a4 € 
Act —{y, /}} U{v. 7}. Then Diep igs” is defined to be the set of all TEST-split-respecting 
pairs ((PT, Act), (PF, PD, Act')). Furthermore, C%y5; 45)" is the binary relation on Dye, aay 
such that for every (a,,3,) and (a, 32) in prestapi ¥, (01,81) aor ace (2, 32) iff a, CMY ay 


-——MUST-split-¥y 
and 3,04.) 2 


We first show that [-JMye> and [-]53*5 map WT Nets to elements of these domains: 


plit-y plit-y 


Theorem 4.3.5 Let (N, Act) be a WT Net, and let Act’ = {ao,a,,a2: a € Act —{y, V}}U 
{y,/}. Then [(N, Act)/MUST € DYE Stepney and [(N, Act) JES € Data 


plit-y plit-y 
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Proof. We first prove the case for [-JNuy. Since WT Nets are closed under +, and 


dupl-split, the definition of [-]¥;., and Theorem 4.2.8 together imply that [(.N, Act)]Miey € 
DMG. The additional closure conditions of Definition 4.3.3 follow directly from the properties 
of y+ x and dupl-split nets, and are easy to verify. The details are left to the reader. 

For [Jay it is straightforward to see from the definitions of pomset-traces, pomset-failures, 
and pomset-divergences of WT Nets, the definition of [-]>i\",, the definition of dupl-split and 
y+, and Proposition 3.2.15 that the additional closure conditions hold. The theorem then 


follows easily from Theorem 4.2.8 and the above case. : 


Theorem 4.3.6 Let Act be a finite alphabet containing \/ and let Act’ = {do,a,,d.: 4 € 
Act —(y./)}U {vs}. Then (DET CMT) and (DEST, CEB) are com: 


plete partial orders. 


The proof of the theorem is an easy combination and adaptation of the proof of Theo- 
rem 4.2.9. The details are left to the reader. 
We now give a finite characterization of the compact elements of Dy?" 7 and Dawe eer) 


Definition 4.3.7 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,a2: a € 
Act —{y, /}}Uf{/, 7}. A triple (PF, PD, Act’) is a finite candidate of DNs?" iff (PF, PD, Act’) 
e Dy’ and (PF, PD, Act’) is a finite candidate of DNUF7. A tuple (a, 3) is a finite can- 
didate of Dct,Act! iff (a, 3) € Dare ay’, @ is a finite candidate of DYAY, and £ is a finite 
candidate of Dyyi Pr”, 


As an immediate consequence of Definitions 4.3.3 and 4.3.4 and Lemma 4.2.11, we have: 


Lemma 4.3.8 Let Act be a finite alphabet containing / and let Act’ = {ao,a,,d.: 4 € 
Act —{y, V}} U{/,7}- Then all finite candidates of Dy "7 and Date aay) are compact 


MUST-split-¥y TEST-split-y : 
elements of Diy: and Dace act |» Tespectively. 


We now show: 


Lemma 4.3.9 Let Act be a finite alphabet containing \/ and let Act’ = {ap,a,,a,: a € 
Act -{y, J}} U{/, 7}. For every (PF, PD, Act’) € DYSIT "7, there is a directed set A, C 
Dio of finite candidates with |] A; = (PF, PD, Act’). For every (a,3) € Dyce an | 
there is a directed set Ay C Dytp aa’ of finite candidates with |] Az = (a, 9). 


Proof. The proof for Dy; ?""? is a minor modification of that of Theorem 4.2.12, needed 
in order to ensure that closure condition (2a) of Definition 4.3.3 holds for every approximation. 
For every n > 0, we define n approximation, (PF, PD,, Act’) to (PF, PD, Act’) as follows: 


PF’ = {(p, F) € PF: pis a prefix of some g such that (¢,0) € PF, 
and either (q, {Events,}) ¢ PD or (q,D) € mincg(PD) for some D} 


PFemn = {(p,F) € PF’: depth(p) < n} U {(p, F): (p, 0) € PE", depth(p) =n, and F C Act’} 
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PD enn = {(p, DUD’): (p,9) © PF enn, DUD #0, either (p,D)€ PD or D=90, 
and for all d€ D’, either d = down,(x) U {x} for some x such that 
depth, (x) =n, and I,(a) # a, for any a € Act —{y, J}, 
or d= down,(y) U {y} for some y such that 


y is a maximal cause of some x with depth,(x) = n, 


and l,(a#) = 6; for some 6 € Act —{y, /}} 
PD, = augment( extends ..(PPfin-n)) 
PFtinn = augment(PFEyn) 


PF, = PF finn U implied-failures 4 ../(PDy) 


The proof of this case is then a straightforward adaptation of that of Theorem 4.2.12; the 
details are left to the reader. 

The proof of Diet Act is a straightforward adaptation of the proof of Theorems 4.2.12 
and the above case; the details are left to the reader. : 


We now have: 


Theorem 4.3.10 Let Act be a finite alphabet containing / and let Act’ = {ao,a,,a2: a € 
Act —{y,V}} ULV, 7}. Then Dy? and Darya) are algebraic cpo’s. 


The theorem is a simple consequence of Lemma 4.3.8 and Lemma 4.3.9 (cf. [18]). 
We now show that all compact elements are definable as the meanings of WT Nets: 


Theorem 4.3.11 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,@2: 4 € 
Act -{y,/}} U {/,7}. For every compact element (PF,PD, Act') © DYST?""7, there is 
some WT Net (N,, Act) with [(N,, Act)]MVS" = (PF, PD, Act’). For every compact element 
((PT, Act), (PF, PD, Act')) € Dare ast |, there is some WT Net (No, Act) with [(N2, Act)", 
= ((PT, Act), (PF, PD, Act')). 


Proof. For the first case, let (PF, PD, Act’) be a compact element of DUS". As a simple 
consequence of Lemma 4.3.9 and the definition of compactness (cf. [18]), (PF, PD, Act’) is a 
finite candidate of DYVVTePth7, 

The construction of the tree is analogous to the proof of the proof of Theorem 4.2.15, except 
that nodes are labeled with pomset-failures only from 0-split( 1-2-respect(PFgn)) (rather than 
PF fm) and with pomset-divergences only from 0-split(1-2-respect(PD fy )) (rather than PDgy). 
Furthermore, the root has r-labeled arcs to nodes labeled with valid triples of the form (@, {0}, e) 
or (0, F U{y},e). Finally, an additional restriction is that a node labeled (p, F,,,2)) has an a,- 
labeled arc to a node labeled with (p’, Fy, 2p), then FF, — {a2} C Fy. The remainder of the 


proof is a straightforward modification of the proof of Theorem 4.2.15; the details are left to 
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the reader. In particular, using closure condition (3a), it is easy to rewire the net to simulate 
duplicate-splitting. 

We remark that the “patching-up” process is done first on prefixes whose maximal nodes 
are all ao-labeled or ay-labeled. The failure sets for the remaining prefixes are then chosen 
appropriately. 

The resulting net is then isomorphic to y +yy (dupl-split((.N,, Act)) grow {y}) for some WT 
Net (No, Act), proving this case. 

The proof for Diet Ac! is then a straightforward combination of the proofs of Theo- 
rems 4.2.16 and the previous case; the details are left to the reader. : 


The operations on DYOS**P""7 are given in Definition 3.2.45. We do not restate the def- 
initions here. Let the operations on D4; 42"? be the natural pairwise combination of the 


. MUST-split- 
operations on DYAY and Dye; P"*. Then: 


Theorem 4.3.12 Let Act be a finite alphabet containing / and let Act’ = {ao,a,,a2: a € 
Act -{y,J}} UL, y}. Then DYST PET and Dieter '7 are closed under prefixing, restric- 
tion, renaming, hiding, sequencing, internal choice, CCS choice, non-communicating parallel 
composition, CSP-style parallel composition, CCS-style parallel composition, split refinements, 
and choice refinements. Furthermore, all of these operations are continuous functions on the 
respective domains. 

Let Act, be a finite alphabet containing \/ and let Act,’ = {d9, a1, 42: a € Act, —{y, W}}U 


MUST-split--y —MUST-split- 


{/,y}. Then grow Act, and shrink Act, are continuous functions from (D4,,; pet! 
TEST-split-y -—TEST-split-y MUST-split-y --MUST-split-+ TEST-split-y —TEST-split-y 
and (Dace Act! 9 =Act, Act! ) to (Dict,! 9 = Act,! ) and (Dacty Acty! 9 =Act,,Act,! )s re- 


spectively. 


Proof. It is straightforward but tedious to show that DYYS7°?"*7 is closed under all 
of the operations except alphabet growing and shrinking, and that the domain and range of 
grow Act, and shrink Act, are as specified. It is easy to show that + ),, augment, extend 
1-2-respect, 0-split, 0-1-choice, and 0-1-split are continuous functions. The theorem then fol- 
lows easily from Theorem 4.2.17. : 


4.4 The Interval Semantics 


This section gives abstract characterizations of the [-JMAT, [-JMi5, and [Ji semantics on 


WT Nets, shows that they form algebraic cpo’s, and proves that all the corresponding process 
operations from Chapter 3 are continuous functions on these cpo’s. 


Definition 4.4.1 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a1,a,: a € 
Act —{y,V}} U{V,y}. Then DYAY"' is defined to be the set intervals(DNA* ). Furthermore, 
cyAvnl is the binary relation on DNAY'™* such that for every (PT,, Act) and (PT», Act) in 
DMay-intel  (PT,, Act, CMAY™™l (PT, Acts) iff PT, C PT». 


MUST-i 1 : . MUST-split- —MUST-i Ly: 
Dic) is defined to be the set intervals(Dy.; P""7). Furthermore, C%.;)"""""? is the 


binary relation on DYVIT™ 7 such that for every (PF,,PD,, Act’) and (PF2, PD», Act’) in 
DYES (PF, PD,, Act'VONE "1 (P Fy, PDs, Act’) iff PF, > PF, and PD, > PD». 
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TEST-intvl- : . TEST-split- — TEST-intvl- : 
Dict Act’. i8 defined to be the set intervals(D,-; 44) ). Furthermore, Cyc; ga) is 
on . TEST-intvl-y ; . TEST-intvl-y 

the binary relation on Dyce an’ such that for every (a1, (1) and (a2, 2) in Dace ann’, 


(a1, 1:)E ner ac (G2, 82) iff ay CAB Ov, and Boe TT Bo, 


We first show that the interval semantics of Chapter 3 map WT Nets to elements of the 
above partial orders: 


Theorem 4.4.2 Let (N, Act) bea WT Net. Then [(N, Act)]MAy € DYYO™, [CN, Act) INT € 
DMIST and [Act JER, € DESTIN 

The theorem is a simple consequence of the definitions of [-]MY, [-Itacy> Ghinc,y, Theo- 
rem 4.2.8 and Theorem 4.3.5. 


The following propositions will be useful in the technical development in this section: 


Proposition 4.4.3 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,@.: a € 


Act —{7, J} } U{V, 7}. The intervals and augment functions on DYAY'™™! are continuous and 


. . : MUST-intvl- : 
the intervals, augment, extend, and 0-split functions on Dy.,; "'’” are continuous. 


Proposition 4.4.4 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,a,: 4 € 
Act -{y, J}} Uf, 7}. Let (PT, Act) € DMAY and let (PF, PD, Act’) € DUST), Then 


© augment(intervals((PT, Act))) € DYAY 


e intervals( augment (intervals( (PT, Act)))) = intervals({ PT, Act)) 


e intervals( augment (extend, .,:(0-split(intervals((PF, PD, Act')))))) = 


( 

( 

e augment(extend 4,4/( 0-split( intervals((PF, PD, Act'))))) € Dyoy Tre? 

( 
intervals((PF, PD, Act')) 


e (PF, PD, Act’)o eT" augment (extend, .,1( 0-split( intervals((PF, PD, Act’))))) 


The proof of Proposition 4.4.3 is routine. The first two items of Proposition 4.4.4 follows 
easily from Proposition 4.2.1 and Definition 4.2.5. The remaining items of Proposition 4.4.4 
follows easily from Proposition 3.2.15, Proposition 3.3.9, Proposition 4.2.1, and Definition 4.3.3. 
The details are left to the reader. 


Theorem 4.4.5 Let Act be a finite alphabet containing \/ and let Act’ = {do,a,,a9: a € 
Act ~{7, V3} UL, 7}. Then (DYQ I EN), (Dace Ea 7), and 


TEST-intvl- — TEST-intvl- . 
(Dice Act! > Cat Act’), are complete partial orders. 


1 MAY-intvl f-MAY-intvl MUST-intvly ->—MUST-intvl-y 
Proof. It is easy to see that (DY* Oy ), (Divce et! ), and 


TEST-intvl y -—TEST-intvl-y : 
(Dace Act! > act.Act’) |) are partial orders. 


We give the proof of completeness for DYAY"™™'. It is easy to see that (@, Act) is the least 
element of DNAY i"! Let A be a directed set in DAY i™™'; then by definition of DYAYi™, 
A = intervals(B) for some set B C DYAY. Proposition 4.4.3 and Proposition 4.4.4 im- 
ply that augment(intervals(B)) is a directed set in DYAY, and Theorem 4.2.9 implies that 
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U augment(intervals( B)) € DYAY. By definition, intervals(U augment(intervals( B))) € DYAYe™, 
and by Proposition 4.4.3 and Proposition 4.4.4, 


intervals(( augment(intervals( B))) = UJ intervals( augment(intervals( B))) = | J(intervals( B)), 


proving this case. 
The proofs for Dy "7 and Dict Act are completely analogous, except that they use 
Theorem 4.3.6. The details are simple and are left to the reader. : 


We now give a finite characterization of the compact elements of these domains. 


Definition 4.4.6 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,a2: a € 
Act —{y,/}} U{V,y}. A pair (PT, Act) is a finite candidate of DYAX'™™ iff (PT, Act) = 
intervals((PT"’, Act)) for some finite candidate (PT", Act) of DN4Y. A triple (PF, PD, Act’) is 
a finite candidate of Dyer "7 iff (PF, PD, Act’) = intervals((PF", PD’ Act'\) for some finite 
candidate (PF’, PD’, Act’) of Dats P"7. A tuple (a, f) is a finite candidate of Divy gee) iff 
(a, 3) = intervals((a’, 9")) for some finite candidate (a’, 3’) of Daot Al 


Lemma 4.4.7 Let Act be a finite alphabet containing \/ and let Act’ = {ap,a1,a2: a € 
Act —{7, /}}U{y,7}. Then all finite candidates of DYAY i, DENT") and Davy acy) are 
compact elements of DAY", Dit "7, and Dic, aw!» respectively. 

Proof. The proof for DYAY™' is identical to that for DAY in Theorem 4.2.11. 

Let intervals((PF, PD, Act’)) be a finite candidate of DYSST™'? and let A be a subset of 
DST PE’ such that intervals(A) is a directed set in DYUST "7 and 
intervals((PF, PD, Act’) )CN Ys"? || intervals(A). By Propositions 4.4.3 and 4.4.4, 


(PF,PD, Act’) CYSIT "7 qugment( extend 4,41(0-split(intervals((PF, PD, Act'\)))) 
oe PET qugment( extend, .;1( 0-split(|_| intervals( A)))) 
cee “| | augment( extend 4,4/(0-split(intervals( A)))) 


Since by Theorem 4.3.8, (PF, PD, Act’) is a compact element of DYO;T*?"*7, there is some 
(PF,,, PD,, Act’) € A with 


(PF, PD, Act’\ NST "7 qugment( extend 441(0-split(intervals((PF,,, PD, Act'))))). 
Then by Proposition 4.4.4, 


intervals((PF, PD, Act')) CYVhiny 
intervals( augment(eatend 4 .,/(0-split( intervals((PF,, PDn, Act')))))) 


which by Proposition 4.4.4 is equal to intervals((PF,, PD, Act')), proving this case. 
The proof for Dict Act! is a simple consequence of the previous two cases and is left to 


the reader. a 


Lemma 4.4.8 Let Act be a finite alphabet containing \/ and let Act’ = {ao,a,,d.: a € 
Act —{7, J/}} U{/, 7}. For every (PT, Act) € DAY", there is a directed set Ay C DYAYin™! 
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of finite candidates with || 4, = (PT, Act). For every (PT, Act’) € DYSIT™"'"7, there is a 
directed set Ay C DOT "7 of finite candidates with | Ay = (PT, Act’). For every (a, 3) € 
Dict Act» there is a directed set As C Dyty acy” of finite candidates with || As = (a, {). 


Proof. We prove the case for DYAY"'. By definition, (PT, Act) = intervals((PT", Act)) 
for some (PT’, Act) € DYAY. Lemma 4.2.12 gives a directed set B of finite candidates of 
DY* whose least upper bound in DAY is (PT"’, Act). Thus, (PT, Act) = intervals(| B). By 
Proposition 4.4.3 and Definition 4.4.6, intervals(.B) is a directed set of finite candidates of 
DY AY in! and 


(PT, Act) = intervals(| | B)= | | intervals( B). 


The proofs of the other cases are analogous and are omitted. 7 


Theorem 4.4.9 Let Act be a finite alphabet containing \/ and let Act’ = {do,a,,a9: 4 € 
Act —{y, /}}U {V7}. Then DYSE™, DE ET, and Dace aa) ave algebraic cpo’s. 


The theorem is a simple consequence of the definition of compact elements and Lemma 4.4.7 
and Lemma 4.4.8 (cf. [18]). 


Theorem 4.4.10 Let Act be a finite alphabet containing / and let Act’ = {ao,a,,a2: a € 
Act —{7, J/}} U{Y,7}. For every compact element (PT, Act) € DYAY™™ |, there is some WT 
Net (Nj, Act) with [(Ni, Act)JMAY = (PT, Act). For every compact element (PF, PD, Act’) € 


intvl 


Dy", there is some WT Net (No, Act) with [(N2, Act)]MOP = (PF, PD, Act’). For every 


compact element (a, 3) € Dyey aa’, there is some WT Net (Ng, Act) with [(Ns, Act)]iRS7, = 
(a, 8). 


The theorem is a simple consequence of the definition of [-]MAY, [IMA3. [-Jiva,, Lemma 4.4.8, 


and Theorems 4.2.14 and 4.3.11. 
The operations on DYAY"™!, Dig 7, and Daly ace are given in the proof of Theo- 
rem 3.3.10. We do not restate the definitions here. We have that: 


Theorem 4.4.11 Let Act be a finite alphabet containing / and let Act’ = {ao,a,,a2: a € 
Act —{7, /}}U{V,7}. Then DAY, DENTON and Dice aw) are closed under prefix- 
ing, restriction, renaming, hiding, sequencing, internal choice, CCS choice, non-communicating 
parallel composition, CSP-style parallel composition, CCS-style parallel composition, split re- 
finements, and choice refinements. Furthermore, all of these operations are continuous functions 
on the respective domains. 

Let Act, be a finite alphabet containing \/ and let Act,’ = {ao,4,,a.: a € Act, —{7, /}}U 


{/,y}. Then grow Act, and shrink Act, are continuous functions from (DMAY IN! Cyan). 
MUST-intvly -—-MUST-intvl-y TEST-intvl y -—TEST-intvl-y MAY-intvl f-MAY-intvl 

(D ' »=Act! )s and (Dace Act! 9 =Act, Act! ) to (Da > =Act! )s 
MUST-intvly -—-MUST-intvl-y TEST-intvl y -—TEST-intvl-y : 

(Dace! > =Acty! )s and (Dact, Act,’ 9 =Acti,Acty! )s respectively, 


The theorem follows easily from Theorems 4.2.17 and 4.3.12, and Proposition 4.4.3. 
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Chapter 5 


Action Refinement 


5.1 An Action Refinement Operator 


This section presents our action refinement operator on a restricted class of WT Nets. In order 
to preserve the finite marking condition on Well-Terminating Nets, we will define our action 
refinement on a suitably restricted subclass of WT Nets. 


Definition 5.1.1 The class of Refinable Well-Terminating (RWT) Nets consists of WT Nets 
(N, Act) in which every place has only a finite number of transitions with labels from Act —{,/} 
emanating from it, i.e., for all s € Sy, the set {t € posty(s): Iy(t) € Act —{,/}} is finite. 


It is easy to show that: 


Theorem 5.1.2 The class of RWT Nets is closed under prefixing (a.), restriction (\a), hiding 
(—a), renaming ([f]), CSP-style sequencing (;), non-communicating parallel composition (||), 
CCS-style parallel-composition-with-hiding (|), internal choice (@), start-unwinding, CCS-style 
choice (+ 2), split, and choice, but not under CSP-style parallel composition (||). 


Proof. CSP-style parallel composition, ||;,.}, applied to two RWT Nets that each contain 
an infinite number of a-labeled transitions will result in a net in which every a-labeled transition 
of one net is allowed to synchronize with every a-labeled transition of the other net. We recall 
that by definition, all transitions in WT Nets have non-empty presets. Thus, it is easy to 
see that some place in this resulting net must have an infinite number of a-labeled transitions 
emanating from it, violating the defining condition on RWT Nets. 

The proof that RWT Nets are closed under all the other net operators follows easily from 
Theorem 2.2.16 and is omitted. 7 


Our action refinement operator (N, Act)[a:=(N,, Act)] “replaces” each a-labeled transition 
in the target net (N, Act) by a separate but identical copy of the refinement net (N,, Act); these 
copies are distinguished by “tagging” the names of the places and transitions of NV, with the 
name of the corresponding a-labeled transition. We want our action refinement operator to 
satisfy some intuitively simple distributivity properties, and so we need to be careful in how we 
hook up the copies of NV, to the places of N. 
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6 6 


On en 
_ (N, Act)[a:=(Nq, Act)| 


Figure 5-1: An Example of Action Refinement 


In the same spirit as the definition of the +,, operator, we take cross products of the start 
places of appropriate copies of V,; in particular, for every place s in N, we take a cross product 
v of the start places of the copies of NV, corresponding to the a-labeled transitions emanating 
from s. Furthermore, in the same spirit as the definition of sequencing, we relabel with 7 
all of the \/-labeled transitions of the copies of NV, and connect them all up to the post-set 
of the corresponding a-labeled transition. The other transitions of the copies of N, and the 
non-a-labeled transitions of N are then hooked up to all of these places in the expected manner. 


Not surprisingly, we encounter the same difficulties as the +, operator when our refinement 
nets have initially marked places that have incoming transitions, and we thus start-unwind the 
refinement net before performing our replacements. 


The action refinement operator is illustrated in Figure 5-1. 


We now define the action refinement operator. For simplicity we assume that the refinement 
net N, is already start-unwound; otherwise, we first start-unwind N, and then carry out this 
construction using the start-unwound version of NV, rather than N, itself. 
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Definition 5.1.3 Let (NV, Act) and (N,, Act) be RWT Nets over a common alphabet Act, and 
let a be a label in Act —{,/}. Then (P, Act) = (N, Act)[a:=(N,, Act)] is defined as: 


Sp = {(s,v)|s€ Sy and v: T—Starty,, where T = {t € posty(s)|ly(t) = a} } 
Ww {(t,s')|t€ Ty, ly(t)=a and s’ € Sy, — Starty, } 


Tp = {(t, +) | Ty and In(t) A a} ¥ (0) [Ce Ty, ly(t) = a and ' € Ty, } 
prep((t, *)) = {(s,0) € Sp|s € prey(t)} 
postp((t, *)) = {(s,0) € Sp|s € posty(t)} 
Ip((t, *)) = lw (@) 


prep((t,t’)) = {(s,v) € Sp|s € prey(t) and v(t) € prey (t')} 
WwW {(t,s') € Sp|s' € prey (t')} 


(1,5) € Sp|s' € posty,(t)} if ly, (t!) #-V 
{(s,v) € Sp|s € posty(t)} otherwise 


paaya fH ey 


T otherwise 


Startp = {(s,v) € Sp|s € Starty} 


We refer to the net (N, Act) as the target of action refinement, or the target net, and we 
refer to the net (N,, Act) as the operator of action refinement, or the refinement net. 


The following facts will be useful in proving that the class of RWT Nets is closed under 
action refinement. 


Definition 5.1.4 Let (N, Act) and (.N’, Act) be RWT Nets over a common alphabet Act, let a 
be a label in Act —{,/}, and let r be arun of N oflength n. A (N,r,a, N’)-respecting substitution 
is a function a from the set {2:1 <i <n and ly(7[?]) = a} to non-empty runs of N’ such that 
for all i € dom(a), if ¢ is a non-maximal event in the pomset-run of r, then some \/-labeled 
transition of N’ occurs in a(2). Let dom(3) = dom(a), and let each 6(7) = (r[#],t1)..-(r[¢], te), 
where a(t) = t,...t,. Then we define ra = r,...rn, where each r; = (2) if 7 € dom(3), and 
r; = (r[2], *) otherwise. 


Lemma 5.1.5 Let (N, Act) and (N,, Act) be RWT Nets over a common alphabet, Act, such 
that (N,, Act) is start-unwound, and let a be a label in Act—{,/}. Also, let (P, Act) = 
(N, Act)[a:=(Nq, Act)|, and let r’ be a run of P. Then there is some run r of N and some 
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(N,r,a, N,)-respecting substitution a such that ra is a run of P whose pomset-run is isomor- 
phic to that of r’. 

Furthermore, let M4‘ be the marking of P reached after firing r’, let M be the marking of NV 
reached after firing r, and for all 7 € dom(a), let M; be the marking of N, reached after firing 
the run a(7). Then for all places of P of the form (t,s’) € Ty x S'y,, 


M'(t,s') = 0 if ¢ does not occur in r 
|) Mi (s') if r[2] is the last occurrence of ¢ in r 


For all places of P of the form (s, v), 


0 if for some i € dom(a) with r[t] € prey(s), 
M"(s,v) = a(t) does not contain a \/-labeled transition 
a wel if there is some 7 € dom(a) with r[z] € posty(s) such that M;(v(r[t])) = 1 


M(s) otherwise 


Proof. The proof is by induction on the length of r’. It is easy to see that lemma holds 
for the base case of |r’| = 0. For the other base case, suppose |r’| = 1. The proof is obvious 
if r’ = (t,*) for some transition ¢ of N that is not a-labeled. Otherwise, r’ = (¢,t’) for some 
a-labeled transition t of N and some transition ¢’ of N,. Let r = t, let dom(a) = {1}, and let 
a(1) =’. Then it is easy to see that ra = r’ and that markings of places of the form Ty x S‘y, 
satisfy the above equation. The remaining property about markings is easily verified. 

For one induction step, let r’ = r’.(¢, *) for some non-empty run r” and some transition t of 
N that is not a-labeled. By induction, there is some run r of N and some (N,r, a, N,)-respecting 
substitution a such that ra is a run of P whose pomset-run is isomorphic to that of r” and the 
properties of the corresponding markings hold. By Proposition 3.2.3, the marking of P reached 
after r” is identical to that reached after ra. Thus, all places (s,v) € Sp with s € prey (t) must 
be marked in P. Suppose for the sake of contradiction that for some place s € prey(t) and 
every corresponding v, there is some i € dom(a) with s € prey(r[t]) such that M;(v(r[2])) = 1. 
Since N is 1-safe, (N,, Act) is start-unwound, and the firing of \/-labeled transitions cleans out 
N and N,, it would follow from Definition 5.1.3 that there is some unique such 7 and that a(2) 
is empty, contradicting the definition of a. Thus, it follows from the inductive hypothesis about 
markings that all places s € prey (t) are marked in N. It is then easy to see from Definition 5.1.3 
that r.t is a run of N, a is a (N,(r.t),a, Nq)-respecting substitution, and (r.t)a is a run of P 
whose pomset-run is isomorphic to that of r’. Furthermore, since N is 1-safe, it is easy to see 
that the desired property of the markings holds. 

For the other induction step, let r’ = r”.(t,t’) for some non-empty run r”, some a-labeled 
transition t of N, and some transition ¢’ of N,. By induction, there is some run r of N and 
some (N,r,a, N,)-respecting substitution a such that ra is a run of P whose pomset-run is 
isomorphic to that of r” and the properties of the corresponding markings hold. For one case, 
suppose that for every occurrence r[i] of t in r, a(i) contains a \/-labeled transition. Since 
the firing of \/-labeled transitions cleans out N4, it is easy to see that all such markings M; 
are empty. It then follows easily from the l-safeness of N that all places s € prey(t) must be 
marked in N, and hence that r.t is a run of N. Let a’ be the extension of a with a(|r.t]) =’. 
It is easy to show that a’ is a (N,(r.t),a, Nq)-respecting substitution, and that (r.t)a’ is a run 
of P whose pomset-run is isomorphic to that of r’. Furthermore, since N is 1-safe, it is easy to 
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see that the desired property of the markings holds. 

For the last case, suppose that for there is some occurrence r|?] of ¢ in r such that a(t) 
does not contain a ,/-labeled event. The 1-safeness of N and Definition 5.1.4 immediately 
imply that 2 is unique and is the last occurrence of ¢ in r. Thus, it follows from the inductive 
hypothesis about markings that ¢’ is enabled in N, under marking M;. Let a/(k) = a(k).t’, let 
dom(a’) = dom(a), and let a’ agree with a on the rest of dom(a). It is easy to see from the 
above fact about M; that a’ is a (N,r,a, N,)-respecting substitution. Furthermore, it follows 
easily from the l-safeness of N and the inductive hypothesis about markings that ra’ is a run 
of P whose pomset-run is isomorphic to that of r’. Finally, since N is l-safe, it is easy to see 
that the desired property of the markings holds, proving the lemma. : 


The following related fact will be useful in proving properties about our semantics: 


Lemma 5.1.6 Let (N, Act) and (N,, Act) be RWT Nets over a common alphabet, Act, such 
that (N,, Act) is start-unwound, and let a be a label in Act —{,/}. Also, let r be a run of N 
and let a be a (N,r,a, N,)-respecting substitution. Then ra is a run of (N, Act)[a:=(Naq, Act)]. 


Proof. Using Lemma 5.1.5, a straightforward induction on the length of r gives the proof. 
The details are left to the reader. 7 


We now have: 
Theorem 5.1.7 The class of RWT Nets is closed under action refinement. 


Proof. Let (N, Act),(Na, Act) be RWT Nets over a common alphabet, Act, let a € 
Act —{,/}, and let (P, Act) = (N, Act)[a:=(N,, Act)|. For simplicity, we assume that (N,, Act) 
is itself start-unwound; however, since by Proposition 5.1.2, start-unwind((.N,, Act)) is a RWT 
Net, the proof is identical for the general case except that we use start-unwind((N, Act)) instead 
of (N,, Act). It is easy to see that the initial marking of P is non-empty and that all transitions 
in P have non-empty presets. Definition 2.1.2 and Definition 5.1.1 then imply that only a finite 
number of places of NV, are initially marked and that only a finite number of a-labeled transitions 
emanate from any given place in N. Thus, it is easy to see that for every place s € Sy, there are 
only a finite number of functions v: T—Starty,, where T = {t € posty(s)|ly(t) = a}. Using 
the fact that (N, Act) and (N,, Act) are RWT Nets, it is then easy to show that the initial 
marking of P is finite, the preset and post-set of every transition in P is finite, and that every 
place in P has only a finite number of transitions with labels in Act —{,/} emanating from it. 

Lemma 5.1.5 together with Proposition 3.2.3 and the 1-safeness of N and N, immediately 
implies that P is 1-safe. Similarly, Lemma 5.1.5 together with Proposition 3.2.3 and the fact that 
all places of N and N, are unmarked immediately after the firing of any \/-labeled transition 
of the respective net immediately implies that the same property about \/-labeled transitions 
holds for P. Finally, the finite-enabling property for P follows easily from Lemma 5.1.5 together 
with the definition of pomset-runs, Proposition 3.2.3, the fact that (N., Act) is start-unwound, 
and the fact that only a finite number of transitions are enabled under any reachable marking 
of N or N,. r 
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Our action refinement operator has a rich algebraic theory. For example, the following 
simple identities hold up to [-Jiii-, equality. We write Succ to denote the WT net which 
must immediately successfully terminate, 7.e., exactly one transition is enabled under its initial 
marking and this transition is \/-labeled. For notational convenience, we simply write a to refer 
to the net a.Suce and write a,.a_ to refer to the net a,.a_.Suce. Furthermore, we write Dead 
to denote the deadlocked process consisting of a single initially marked place and no transitions, 
and a.Dead to refer to the net that does an a and then deadlocks in the sense that no place is 
marked. 
Our action refinement operator satisfies the following simple identities: 


Proposition 5.1.8 Let (N, Act), (Ni, Act), (No, Act) be RWT Nets over a common alphabet 
Act, and let a,a,,a_,a,,4R,b € Act —{,/}. Then the following identities hold up to [-J2i7 


equality: 
ala:=(N; \/, Act) 


(N, Act)[a:=(Dead, Act) 
(N, Act)[a:=(7, Act) 
Spliliaa,,a_\((N, Act) 
choice(a.azaz)((N, Act) 


[a:=(Succ, Act)] = (N, Act)—a 
[a:=(a4.a_, Act)] 
[a:=(az +1 Gp, Act)| 


Nee ee a a 
lI 

a a a 
a 
oO 
om 

“ee eeee 


Assuming that a and 6 are “fresh” labels, (7.e., N; and Nz contain no a-labeled or b-labeled 


transitions), we also have up to [-]7i7, equality: 
((a +7 b)[a:=(N1; V/, Act)])[b:=(No; JV, Act)] = (Ni; J, Act) +r (No; V, Act) 


((a.b)[a:=(N1; V/, Act)])[b:=(No; Jf, Act)] = (Nis V/, Act); (No; V, Act) 
((a |] b)laz=(Mi3 Vv Act) [b:=(No; vV, Act)] = (Nis, Act) || (No; v/, Act) 


For all refinements p, the following distributivity properties hold up to [-]2i;7, equality: 
((Ni, Act) tM (No, Act) )p = (Ni, Act)p TM (No, Act)p 
((N,, Act); (No, Act))p = (N,, Act)p; (No, Act)p 


((N1, Act) || (No, Act))p = (Ni, Act)p || (No, Act)p 
Proof. We give a sketch of the proofs of these identities. It is easy to see that that 
(N, Act)[a:=(Dead, Act)] = (N, Act)\a 


holds up to net isomorphism. For the remaining identities in the first set, we first note that 
all of the refinement nets satisfy the property that for every reachable marking under which 
a \/-labeled transition is enabled, no non-,/-labeled transition is enabled under that marking. 
It is straightforward to see that the 7-labeled transitions resulting from hiding these \/-labeled 
transitions during action refinement thus do not create any extra failure sets. The identities 
then follow easily. 

For the second set of identities, we note for all nets of the form (N;/, Act), the r-labeled 
transitions resulting from hiding the \/-labeled transitions during action refinement do not 
create any extra failure sets. The identity for +), then follows easily. It is straightforward to 
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show that start-unwinding preserves [-]/;;,-meanings, from which the identity for sequencing 


follows easily. Finally, it is easy to see that the different cross-products of \/-labeled transitions 
in the identity for parallel composition do not affect [-]2"7, equality. 

To prove the distributive properties, it is easy to see that the identities for sequencing and 
non-communicating parallel composition hold up to net isomorphism. The identity for +), 


follows easily from the definitions of start-unwinding and action refinement. 7 


Our definition of refinement generalizes the definitions of refinement given by Vogler [47] 
and van Glabbeek/Goltz [41] in the sense that our refined net is [-]{);;,-equivalent to their nets. 
In fact, there is an even tighter relationship between them, namely, these nets are equivalent 
up to a weaker form of history-preserving bisimulation [39] which treats 7-moves as hidden and 
respects concurrent divergences. We omit the definition here since it is not necessary in our 
development. Since Vogler and van Glabbeek/Goltz use a cross-product construction on the 
“accept” places of their refinement nets rather than using 7-moves to transfer control back to 
the target net, our refined net is not quite strongly history-preserving bisimilar to their nets. 
However, if we attach a single \/-labeled transition to their set of accept places, we obtain 
nets which satisfy the property that for every reachable marking under which a \/-labeled 
transition is enabled, no non-,/-labeled transition is enabled under that marking. Thus, the 
T-labeled transitions resulting from hiding these \/-labeled transitions during action refinement 
do not create any extra failure sets. We note, however, that van Glabbeek/Goltz do not impose 
finiteness conditions on their nets since they do not have a hiding operation. Vogler imposes a 
more liberal finiteness condition than ours since his action refinement operator does not allow 
refinement nets to have “initial concurrency”. 

We note that our definition of action refinement preserves finiteness of nets, and thus, in the 
same spirit as our full class of RWT nets, we can allow arbitrary finite RWT nets to function 
as both target nets and refinement nets. The class of finite RWT nets is also closed under all 
of the net operations presented in Chapter 2, including CSP-style parallel composition. 


5.2 Semantics for Action Refinement 


Since RWT Nets by definition are a subclass of WT Nets, all of the net semantics developed 
in Chapter 3 are well-defined on RWT Nets. This section shows that all of these semantics are 
compositional for action refinement, except for [-]“°°" and [-]7°°?. 


Proposition 5.2.1 [-]“°°? and [-]7®°* are not compositional for RWT Nets as either targets 
or operators of action refinement. 

By Theorem 3.2.47, [-]y3,-equality implies [-]™*T-equality. The proposition is then a 
simple consequence of Proposition 3.2.33 and Proposition 5.1.8. 

The following definitions will be useful in proving the compositionality of the other seman- 
tics. 


Definition 5.2.2 Let p be a pomset over an alphabet Act, let A C Act —{,/}, and let f map 
every event e in p whose label is in A to some (possibly empty) pomset p, over Act. The pomset 


q = p|A:=f] is defined as: 
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e Events, = {(e,*):e € Events, and I,(e) ¢ A} 
U {(e, e’): e € Events,, [,(e) € A and e’ € Events, }. 


e 1,((€,*)) = Ip(e) and Uy((e, €)) = tp. (€'). 


e For all (€1,01), (€2,a2) € Events,, (€1,01) <, (€2,@) iff either e, <, €2 or (€; =p €9, 
[,(e1) € A, and ay <p, 2). 


If A is a singleton set {a}, we write pla:=f] to denote p[{a}:=f]. 


Since non-maximal events in a pomset-trace of a target net represent “fully fired” transitions, 
we must be careful to replace them only with “successfully terminated” pomset-traces of the 
refinement nets. The following definition reflects this fact: 


Definition 5.2.3 Let PT and PT, be sets of pomsets over a common alphabet, Act, and let 
a € Act —{./}. Then: 


(PT, Act)[a:=(PT,, Act)] act augment({pla:=f]: p € PT and f maps every a-labeled event e in p 
to some pomset p, in PT, such that 


if e € max(p) then p.;,/ € PT,}) 


Definition 5.2.4 Let p be a pomset over an alphabet Act, let D, be a (possibly empty) set 
of downward-closed subsets of Events,, and let A C Act. Let g map every event e in p whose 
label is in A to some pair (p., D.), where p, is a (possibly empty) pomset over Act and D, is a 
(possibly empty) set of downward-closed subsets of Events,,.. Then (¢,D,) = (p, D,)[A:=g] is 
defined as: 


eg = pl|A:=f], where dom(f) = dom(g) and f(e) = p.(= fst(g(e))) for every event 
e € dom(g). 


e D, = {down,({(e,a) € Events,: e € d}): de D,} 
U {down,({e} x d): e € Events,, [,(e) € A, d€ D., and d Z 0} 
U {down,({(e’, a) € Events, : e’ <, e}): e € Events,, I,(e) € A, and 9 € D.} 


Since dg-labeled events of dupl-split nets represent “fully fired” transitions, we must be care- 
ful to replace them only with “successfully terminated” pomset-traces of the refinement net. 
Similarly, since a,-labeled events of dupl-split nets represent “half fired” transitions, we must 
be careful to replace them only with “non-terminated” pomset-traces of the refinement net. 
Furthermore, in order to be sure that the failure sets corresponding to these non-terminated 
pomset-traces remain valid after refinement, we require that these failure sets contain ,/; this 
ensures that new actions do not become ready by “looking through” the 7r-transition corre- 
sponding to successful termination. As in the semantic definition of CSP-style parallel com- 
position, we only refine /-2-respecting pomsets to avoid confusion between “non-matching” a, 
and a»-labeled actions. 

As evidenced by Proposition 5.1.8, hiding is definable from action refinement. More gener- 
ally, refining a-labeled transitions with any net that can successfully terminate after firing some 
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finite sequence of 7-transitions will have the possible effect of hiding the a-labeled transitions, 
and hence may create additional divergences. In order to simplify our definition of action refine- 
ment on sets of pomset-failures and pomset-divergences, we first define a replace operator that 
ignores the effects of hiding on pomset-divergences (but does account for the independent effects 
on pomset-failures). Using this replace operator, we then define a semantic action refinement 
operator that properly accounts for all the effects of hiding. 


Definition 5.2.5 Let Act be a finite alphabet containing the distinguished symbol ,/, let 
Act’ = {a;: a € Act —{,/} and 0 <i < 2} U {7,7}, and let a € Act—{\/}. Let PF, PF, be 
sets of pomset-failures over Act’, and let PD, PD, be sets of pomset-divergences over Act’. 
Then: 


(PF, PD, Act'\[a replace (PF, PD4, Act’) act (PF', PD’, Act’), where 


PF" = {(pl{ao,a.}:=f], £’): (p, F,) € 1-2-respect( PF) for some F,,, 
and f maps every event e in p with I,(e) € {ao, a1} 
to some pomset-failure (p., F.) in PF, such that 
if (\/,0) € PF, then ao € F,, 
if ,(e€) = ap then (p.3/,0) € PFi, 
if [,(e) = a, then \/ € F. and p, contains no \/-labeled events, 
and FY C (F, UX) NP) {F.: l,(e) = a}, 
where X = {do, @1, a2} — init( PF,)} 


PD" = (pp, D,)[{a0, a1 }:=9]: (p, Dp) © 1-2-respect( PF’) U 1-2-respect(PD), 
D, is a (possibly empty) set of downward-closed subsets of Events,, 
g maps every event e in p with I,(e) € {ao, a1} 
to some (p., D.) in PF, U PD, such that 


D, is a (possibly empty) set of downward-closed subsets of Events,., 


D, UU{D.: e € dom(g)} is non-empty, 
and if 1,(e) = do then (p.;./,0) € PFi} 


PEF’ = augment(0-split(PE”)) U implied-failures 4 .4( PD’) 
PD! = = augment(extend 4,:(0-split( PD"))) 


We now define the semantic action refinement to reflect the hiding behavior of action re- 
finement: 


Definition 5.2.6 Let Act be a finite alphabet containing the distinguished symbol ,/, let 
Act’ = {a;: a € Act —{,/} and 0 <i < 2} U {7,7}, and let a € Act—{\/}. Let PF, PF, be 
sets of pomset-failures over Act’, and let PD, PD, be sets of pomset-divergences over Act’. 
Furthermore, let a’ be an action not in Act U Act’. The following definitions use the operations 
presented in Definition 3.2.45 and Definition 5.2.5. 

If (/,0) ¢ PF,, then 


(PF, PD, Act’)[a:=(PF,, PD,, Act’)| © (PF, PD, Act’\[a replace (PE,, PD,, Act’)| 


114 CHAPTER 5. ACTION REFINEMENT 


Otherwise, if (/,0) € PF,, then 


(PF, PD, Act'\[a:=(PF,, PD,, Act’)| 
def 


(((choice(aa,a)((PF, PD, Act’) grow {a’})) hide a’) shrink Act')[a replace (PF,, PD, Act’)) 


MAY MUST TEST ; 444 
We now show that our [-J*™, [-JNye}, and [-]2i3, semantics are compositional for nets as 
targets and operators of action refinement. As discussed in the Introduction, this is in contrast 


to the semantics of [47], which is not compositional for nets as action refinement operators. 


Theorem 5.2.7 [-]”*”, [-JMye, and [-]2i,3, are compositional for RWT Nets as targets and 


operators of action refinement. 


Proof. Let Act bea finite alphabet containing ,/, let a € Act —{,/}, and let (N, Act), (Na, Act) 
be RWT Nets. 

To prove compositionality of the [ 
quence of Lemma 5.1.5, Lemma 5.1.6, and the definition of pomset-traces and pomset-runs, 


-]M4Y semantics, we first observe that as a simple conse- 


pomset-traces((N, Act)[a:=(Nq, Act)]) = 


{pla:=f] : p © pomset-traces((N, Act)) and f maps every a-labeled event e in p 
to some pomset p, in pomset-traces((N,, Act)) such that 
if e ¢ max(p) then p,;\/ € pomset-traces((N,, Act))} 


The details are straightforward and are left to the reader. 
It is now easy to see that 


[(N, Act)[a:=(N,, Act)]J** = [CN, Act)]** [a:=[(Na, Act) "], 


where the action refinement operation on the right-hand side of the equation is that given in 
Definition 5.2.3. 

We now prove compositionality of the [-]¥;c, semantics. For the first case, suppose that 
(J/,0) € fst([(Na, Act) [anes ). As a consequence of Lemma 5.1.5, Lemma 5.1.6, and the defini- 


split-y 
tion of pomset-runs, pomset-traces, pomset-failures, and pomset-divergences, we have 


pomset-failures((N, Act)|a:=(N,, Act)]) = 


0-split({(p[{do,ai}:=f],£’) + (p, Fp) © 1-2-respect(pomset-failures((N, Act))) for some F,, 
and f maps every event e in p with U,(e) € {ao, a1} 
to some pomset-failure (p., F.) of (Na, Act) such that 
if ,(e€) = ao then (p.; \/,9) € pomset-failures((N,, Act)), 
if [,(e) = a, then \/ € F. and p, contains no \/-labeled events, 
and FY C (F, UX) AP {EF-.: b,(e) = ar}, 
where X = {do, a), a2} — init(pomset-failures((N,, Act)))}) 
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pomset-divergences (N, Act)[a:=(Nq, Act)]) = 


0-split({(p, D»)[{ao, a1 }:=g9]: D, is a (possibly empty) set of downward-closed subsets of Events,, 
(p, Dp) € 1-2-respect(pomset-failures((N, Act)))U 1-2-respect(pomset-divergences(N, Act))), 
g maps every event e in p with I,(e) € {ao, a1} 
to some (p., D,) in pomset-failures((N,, Act)) U pomset-divergences( (N,, Act)) 
such that D, is a (possibly empty) set of downward-closed subsets of Events,,., 
D, UU{D.: e € dom(g)} is non-empty, 
and if 1,(e) = ao then (p.; ./,0) € pomset-failures((N,, Act))}) 


The details are straightforward but tedious and are left to the reader. 


We now show that for the case when (,/,0) ¢ fst([(Na, Act) Mis"), 


split-y 


[(.N, Act) [a:=(Nq, Act) |JMUS? = [(N, Act)]MUS? [a:=[(N a, Act) eee], 


split-y split-y split-y 


where the action refinement operation on the right-hand side of the equation is that given in 
Definition 5.2.6. 


One direction is a simple consequence of the definition of [-J¥u.), Definition 5.2.6, and the 


highlighted equality above for the pomset-failures and pomset-divergences of the refined net. 
For the other direction, let (r,D,) € snd([(N, Act)]Mieyla:=[(Na, Act) [Mic ); then (r,D,) € 


augment(extends:({q,D,))) for some pomset-divergence (q,D,) such that (¢,D,) = 
(1, Da) ao, 41 }:=g] for some (m1, D,,) € [N, Act)]Mie) and some g mapping do-labeled and 


split- 
a,-labeled events e of q, to [(Na, Act)]¥i.,- In turn, (qi. D,,) € augment( extend 4ct((pi, Dp,))) 
for some (p;,D,,) that is a pomset-divergence/pomset-failure of N, and each g(e) 
€ augment(extend4-+((pe, Dp.))) for some (p., Dp.) that is a pomset-divergence/pomset-failure 
of N,. It is easy to show that (¢,D,) € augment( extend 4.¢((p1, Dp,)[{a0, a1 }:=9']), where g’ is 
the restriction of g to dp-labeled and a,-labeled events e of p,. Hence, the highlighted fact above 
together with the definition of [-]MJ5* implies that (q, D,) € snd([(N, Act)[a:=(Nq, Act) |[Myeo )- 


split- split-y 
It now follows from Proposition 3.2.18 that (r,D,) € snd([(N, Act)[a:=(Na, Act)|JNie,). The 
proof for pomset-failures in (r, D,) € fst([(N, Act) ere) la:=[(Na, Act) |Mye5]) is similar and is 
left to the reader. 
The other case, when (\/,0) € fst([(Na, Act) Mie ), then follows from the above proof, Defi- 
nition 5.2.6, Theorem 3.2.46, and the following easily proved fact: if (V/,0) € fst([(Na, Act) ene; ) 
then 


[(N, Act)[a:=(Na, Act)| ne 


(((choice(a,a,a([(N, Act)]Mie% grow {a’})) hide a’) shrink Act’)[a replace [(Nq, Act) Mie) ] 


split- split-y 


The details are left to the reader. a 
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In order to prove compositionality of the corresponding interval semantics, we will need the 
following facts about refining interval pomsets and interval pomset-divergences: 


Proposition 5.2.8 Let q¢ be an interval pomset such that ¢ € augment(pla:=f]) for some pom- 
set p and function f mapping a-labeled events in p to pomsets. Then q¢ € augment(p’[a:= f']) 
for some interval pomset p’ > p and some function f’ mapping a-labeled events in p’ to interval 
pomsets such that f/(e) = f(e) for all e € dom(f). 


Proposition 5.2.9 Let (q,D,) be an interval pomset-divergence such that 

(q,D,) € augment((p, D,)[A:=g]) for some pomset-divergence (p, D,) and function g mapping 
events in p with labels in A to pomset-divergences. Then (¢,D,) € augment((p’, D,:)[A:=g']) 
for some interval pomset-divergence (p’, D,-) = (p, D,) and some function g’ mapping events in 
p’ with labels in A to interval pomset-divergences such that g’(e) = g(e) for all e € dom(g). 


Using Lemmas 3.3.7 and 3.3.8 to account for the possible hiding effect of action refinement, 
the proofs of the propositions are straightforward and left to the reader. 
We now have: 


Theorem 5.2.10 The [-JMAY, [-JM2%5, and [-]f25" are compositional for RWT Nets as targets 


intvl ? intvl-y? intvl-y 
and operators of action refinement. 


Proof. Let Act bea finite alphabet containing ,/, let a € Act —{,/}, and let (N, Act), (Na, Act) 
be RWT Nets. 

We show that the following identities hold, where operations on the right-hand side of the 
equations are those given in Definition 5.2.3 and Definition 5.2.6. 


[(N, Act)[a:=(Nq, Act)|JMAY = intervals([(N, Act) MA) [a:=[(Na, Act) Mar ]) 


intvl intvl intvl 


[(N, Act)[a:=(N,, Act)]J@08" = intervals((N, Act) Js" [a:=[(Nq, Act) ees? ]) 


intvl-y intvl-y intvl-y 


The identity for [-JMAY is a simple consequence of the augmentation-closure of the | 


intvl 


semantics, Theorem 5.2.7, and Proposition 5.2.8. 


pase 
It is easy to see that one direction of the equation for [-]¥7° follows easily from Theo- 


rem 5.2.7 and the monotonicity of the action refinement operation. For the other direction, let 
(r, D,) € snd([(N, Act)[a:=(Nq, Act) [ery ); then (r, D,) € intervals(augment(extend4:((p, Dp) ))) 


intvl-y 
for some pomset-divergence (p, D,) of (N, Act)[a:=(.N,, Act)]. By Lemma 3.2.15 and Lemma 3.3.9, 
there is some interval pomset-divergence (q, {d’}}) such that (r, D,) € augment(extend4.:((q, {d’}))), 


q is an augmentation of a prefix of p and d' 5 d for some d € D,. By Proposition 3.2.14, 
(q,{d'}) € extend, .;(augment(pomset-divergences((N, Act)[a:=(Nq, Act)|))). 


It then follows easily from the highlighted fact in the proof of Theorem 5.2.7 that (q, {d’}) € 
extend 4-4(augment( 0-split((p', Dp:)))) for some (p’, Dy) © (pi, D1)[{ao, a1 }:=g], where (pi, D1) 
is an appropriate pomset-divergence or pomset-failure and g is a suitable function. 
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It follows from Lemma 3.3.9 and Proposition 5.2.9 that there are some interval pomset- 
divergences (q', Dy) = (p', Do), (GH, Pa) = (pi, P1) and g'(e) = g(e) for all e € dom(g), such 
that (q, {d’}) € extend 4,4(augment(0-split((q’, D,)))) and (q’, Dy) € augment((q, Dy, )[{ao, a} 
From the definition of 0-split and augment and Lemma 3.2.16, it is easy to see that 


(q,{d'}) € augment( extend 4.¢( 0-split((q, D,,){{ao, a1 }:=9']))). 


The desired equality then follows easily. The proof for pomset-failures is similar, except that it 
uses Proposition 5.2.8 as well. : 


We then have: 


Theorem 5.2.11 The [-Jey, [-Ji,, and [Jin semantics are respectively fully abstract for 
MAY-equivalence, MUST-equivalence, and Testing-equivalence with respect to alphabet expan- 


sion and action refinement. 


Proof. It is easy to see from the definitions of the [-JDV8" and [-]i*s" that [-Jooe7 


split-y intvl-y split-y 
equality implies [-]iiv-,-equality. Thus, Proposition 5.1.8 shows that split refinements, choice 


refinements, and CCS choice can be defined from action refinement up to [-];{;.,-equality. The 
theorem is then a simple consequence of Theorem 3.3.11 and Theorem 5.2.10. : 


5.3. The Semantic Domains Revisited 

All of the semantic domains, except for DTP" and D7", developed in Chapter 4 are closed 
under the appropriate action refinement operators given Definition 5.2.3 and Definition 5.2.6. 
Furthermore, these action refinements operators are continuous functions on the corresponding 
domains. 


MAY MUST-split-¥y TEST-split-y MAY-intvl MUST-intvl¥ TEST-intvl y 
Theorem 5.3.1 The DYS*, Diy , D act, Act! , De » Dace , and D act, Act! 
domains are closed under action refinement. Furthermore, action refinement is a continuous 
function on all of these domains. 


Proof. The proof that the domains are closed is straightforward but tedious; the details 
are left to the reader. 

The continuity of action refinement on DYAY and and DY4*"™ is completely routine to 
verify, as is the continuity for the other domains when (\/,@) is not in the failure set of the 
refinement operator. The general case is then a simple consequence of Definition 5.2.6 and 
the continuity of alphabet expansion and shrinking, choice refinements, and hiding, which were 
proved in Chapter 4. : 


:=g']). 
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Chapter 6 


Deciding True Concurrency 
Equivalences 


6.1 Introduction 


The computational complexity of the equivalence problem for nondeterministic finite-state au- 
tomata under a variety of standard process semantics has been tightly characterized. In partic- 
ular, trace equivalence and failure equivalence [8] are PSPACE-complete [26], while bisimulation 
[30] is PTIME-complete [4, 26]. It has been shown recently that these equivalence problems 
are exponentially harder for automata presented as finite “Mazurkiewicz nets” of synchro- 
nized state-machines [35]: namely, trace equivalence and failure equivalence of these nets are 
EXPSPACE-complete [29, 34] and bisimulation of these nets is DEXPTIME-complete [36]. 

The known results for “true” concurrency equivalences are much more limited. Vogler 
[46, 48] has shown the decidability of history-preserving bisimulation [5, 35, 39, 50, 46] and 
maximality-preserving bisimulation [13, 50] for finite 1-safe Petri nets; however, their complex- 
ity remained open. Decidability of such a basic true concurrency property as pomset-trace 
equivalence [39] appears not to have been known. (An ordinary trace is a linear sequence of 
visible actions; pomset-traces generalize these to multi-sets of actions partially ordered to reflect 
causality and concurrency.) 

In contrast to trace equivalence, the decidability of pomset-trace equivalence for finite nets 
does not obviously reduce to equivalence of finite automata. The difficulty is that if a run of a 
net has a pomset-trace isomorphic to the pomset-trace of a run of another net, then whether a 
transition firable after one run yields the “same” pomset extension as a transition firable after 
the other run depends a priori on the entire pomset trace, which may be unboundedly large. 
Hence instead of searching for a suitable equivalence relation on the finite set of net markings, 
one has to consider equivalence relations on a potentially infinite set of pomset traces and final 
markings. 

A similar difficulty appears in deciding whether finite nets are history-preserving bisimilar, 
which Vogler [46, 48] overcomes by maintaining, instead of an entire pomset history, a partial 
order on the fixed set of places of the nets that reflects “most-recent” firings. We use a similar 
partial order, but instead of places, we find it technically smoother to keep track of the partial 
ordering between the most-recent firings of transitions. This idea leads to a decision procedure 
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[Fgaivalence | Complenity ——] 

pxpsPact-complete 
Failures / EXPSPACE-complete 
divergences 


Bisimulation | ST-bisimulation [39, 42] DEXPTIME-complete 
History-preserving Bisimulation 


[5, 35, 39, 50, 46] 


Pomset-bisimulation [6] DEXPTIME-hard 

eM | anti ixrsrce_ 
Pomset-ST-bisimulation [50] DEXPTIME-hard 
re ee 


Table 6.1: Complexity results for finite l-safe Petri Nets 


for pomset-trace equivalence, and a simple analysis of this procedure yields an EXPSPACE upper 
bound. The same approach also gives a DEXPTIME decision procedure for history-preserving 
bisimulation. 

Our lower bounds for these true concurrency equivalences follow easily from reductions 
from the corresponding interleaving equivalences, whose lower bounds in turn essentially follow 
from the results of [29, 34, 36]. We thus obtain a tight bound of EXPSPACE-completeness for 
pomset-trace equivalence. Likewise, we obtain DEXPTIME-completeness for history-preserving 
bisimulation and maximality-preserving bisimulation, settling questions left open by Vogler 
[46, 48]. 

Our methods also yield tight complexity bounds for several other true concurrency equiva- 
lences, summarized in Table 6.1. In particular, our EXPSPACE-completeness results for ST-traces 
and ST-failures solve problems left open by Vogler [49], who had earlier proved the decidabil- 
ity of these equivalences. Furthermore, our decidability results for pomset-bisimulation and 
pomset-ST-bisimulation settle questions alluded to by Vogler [45]. 

This chapter is organized as follows. Section 6.2 describes our alternate characterization 
of pomset-trace equivalence, together with an EXPSPACE decision procedure. Similar analyses 


'For expository purposes, we refer to bounds of the form 2°") for fixed k as exponentialin n. In the results 
presented here, k is at most 4. 
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of history-preserving bisimulation and pomset bisimulation are given in Section 6.3, while Sec- 
tion 6.4 describes decision procedures for the other equivalences. Section 6.5 gives lower bounds 
for all these equivalences. A discussion of some open problems appears in Section 6.6. 


6.2 Deciding Pomset-Trace Equivalence 


Throughout this chapter, we use the term nets to refer to marked, /-safe Petri Nets [46] whose 
transitions have labels from a fixed set Act U{r}, where Act is a set of “visible actions” and 
tT ¢ Act is the “hidden action.” A transition is visible (hidden) iff its label is visible (hidden). 
The runs of a net are its finite firing sequences [46]. A net is finite iff it has a finite number of 
places and transitions; the size of a net is the total number of its places and transitions. 


Definition 6.2.1 A pomset is a labeled partial order. Formally, a pomset, p, consists of a 
set Events, whose elements are called events, a set Labels, whose elements are called labels, a 
function label,: Events, -Labels,, and a partial order relation <, on Events,. A function f is 
an isomorphism between pomset p and pomset gq iff it is a label-preserving order-isomorphism, 
namely, 


e f: Events, Events, is a bijection, 
e label, = label, o f, 
ec<, e' iff fle) <, f(e’) for all e,e’ € Events,. 


The places of a transition ¢ of a net N are the places directly connected to it, 7.e., the union 
of the preset and postset of ¢t. Let #,,t) be transitions of a net N. We say that t, and ft, are 
statically concurrent in N iff the places of ¢, are disjoint from the places of ty. 

A transition-sequence, Tr, is a sequence of transitions of a net N. The transition-pomset of r 
has as events the integers from 1 to n, where the label of event 7 is ¢; and the partial ordering 
is the transitive closure of the following “proximate cause” relation: event i proximately causes 
event j iff 7 <7 and ¢; and ¢; are not statically concurrent in N, ef. Figure 6-1. 

The visible-pomset of r is the transition-pomset of r, restricted to events labeled with visible 
transitions; moreover, in the visible-pomset, the label of event 7 is the label of ¢; (rather than t; 
itself), cf. Figure 6-1. The pomset-traces of N are the visible-pomsets of runs of N. 

For transition-pomsets and visible-pomsets, it is traditional to say that event e causes event 
e’ iff e < e’ in the partial order. 


Definition 6.2.2 Let N and N’ be nets. Then N pomset-trace approximates N’, written 
N Ent N’, iff every pomset-trace of N is isomorphic to some pomset-trace of NV’. N and N’ 
are pomset-trace equivalent iff each is Ep¢ the other. 


The runs of a finite net are clearly recognizable by a finite state automaton, namely, the 
“global state” automaton of the net itself. We represent an ordered pair r = t)...t,, 7” = 
t/...t/, of transition-sequences of the same length as an input string (t,¢/)...(¢,,t”) for an 
automaton whose alphabet is ordered pairs of transitions. So an “obvious” solution to the 
pomset-trace equivalence problem would be to define an effective procedure that, given any 


two finite nets as input, computes a finite-state automaton whose language consists of all the 
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Figure 6-1: An Example of a Transition-pomset and Pomset-trace 


Figure 6-2: An Example 


pairs of runs of the respective nets that have isomorphic pomset-traces. Such an automaton 
would easily yield a decision procedure for pomset-trace equivalence, since we could project the 
language it accepts onto the components of the pairs and check that the resulting languages 
include the set of runs of the respective nets. 

However, such a finite-state automaton does not exist; the difficulty is that pairs of runs 
with isomorphic pomset-traces may generate the pomset-traces in different order, one getting 
unboundedly behind the other before catching up at the end. For example, let N be the net 
pictured in Figure 6-2. Then two runs of N have the same pomset-trace iff they have the 
same number of occurrences of a- and b-labeled transitions, and the set of such pairs of runs is 
obviously not finite-state recognizable. 

We will show in this section that it suffices to consider pairs of runs that are “synchronous” 
in the sense that their behavior corresponds at each pair of transitions. We say that two runs 
rand r” are equivalent up to concurrency iff they have isomorphic transition-pomsets. We will 
show that: 


e For all pairs of runs r and r’ with isomorphic pomset-traces, there is a run r” that is 
equivalent to 7’ up to concurrency, and r and r” are “synchronous.” 


e The set of pairs of synchronous runs is recognizable by a finite automaton with size 
bounded by an exponential in the sizes of the nets. 


Our decision procedure for pomset-trace equivalence is based on constructing such a finite- 
state automaton. To simplify the exposition, we consider first the case without hidden transi- 
tions. Our proofs will use the following fact about transition-pomsets: 
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Definition 6.2.3 A pomset p’ is a linearization of a pomset p iff it has the same events and 
labels as p and <, is a total ordering that contains <,. Let ¢ be a pomset such that <, is 
a total ordering. Then for any 1 < i < |Events,|, the i? largest event of ¢ is the (necessarily 
unique) event e € Events, such that the longest chain e; <,...<, e, <q € in q is of length 7. 

Let r = tit.... be a transition-sequence of a net N; we write |r| for the length of r, and for 
any 1 <i < |r|, we write r[i] to denote the 2 element, t;, of r. 


Proposition 6.2.4 Let r be arun ofa net JN, let p’ be a linearization of the transition-pomset 
of r, and let r’ be the transition-sequence corresponding to p’, 7.e., r’ = 1, ...t),;, where each t; 
is the label of the 2*” largest event of p’. Then r’ is a run of N reaching the same final marking 
as fr. 


The proposition is easily proved by induction on the number of pairs (7,7) such that 7 < j 
but the 2‘? event of p’ is larger (in the standard integer ordering) than the j™ event of p’. The 
details are left to the reader. 


6.2.1 Nets without Hidden Transitions 


In this section, we assume that nets do not contain hidden transitions. 


Definition 6.2.5 Let r and r’ be transition-sequences of nets N and N’, respectively. We 
say that r and r’ are synchronous iff the identity function on {1,2,...,|r|} is an isomorphism 
between the visible-pomset of r and the visible-pomset of r’. 


In particular, if r and r’ are synchronous, then they are of the same length. 


We then have: 


Lemma 6.2.6 Let r and r’ be runs of nets N and N’, respectively. If the pomset-traces of r 
and r’ are isomorphic, then there is some run r” of N’ such that 


e and r” are equivalent up to concurrency, and 


e rand r” are synchronous. 


Proof. Let J be the isomorphism between the pomset-trace of r and the pomset-trace of 
r’. Since in this section we assume that nets do not contain hidden transitions, clearly r and 
r’ are of the same length. Let r” be the transition-sequence obtained from r’ by applying I 
element-wise to r; that is, r’[¢] = r’[1(¢)] for all 1 <2 < |r’J. 

It follows easily from the definition of r” that J is a label-preserving bijection between the 
transition-pomsets of r” and r’. To show that J is an order-isomorphism, it clearly suffices to 
show that J and J~1 preserve proximate causes. Let event 7 be a proximate cause of event 7 
in the transition-pomset of r”. Then i < 7, and transition r”[i] and transition r’[j] are not 
statically concurrent in N’; hence transition r’[/(z)] and transition r’[/(j)] are not statically 
concurrent in N’. I(j7) < I(t) would imply that event [(j) is a proximate cause of event [(2) 
in the pomset-trace of r’; since J is an isomorphism between the pomset-trace of r and the 
pomset-trace of r’, it would follow that event 7 causes event 7? in the pomset-trace of r, and 
therefore that 7 < 7, a contradiction. Hence [(i) < I(j), and so event [(%) is a proximate cause 
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of [(7) in the transition-pomset of r’, proving this direction. The proof of the other direction is 
similar and omitted. This completes the proof that r’ and r” are equivalent up to concurrency; 
that is, they have isomorphic transition-pomsets. 

Every transition-sequence corresponds to a linearization of its transition-pomset, by defi- 
nition. Since r’ is a run, and r’ and r” have isomorphic transition-pomsets, Proposition 6.2.4 
immediately implies that r” is a run of NV’. 

Clearly, [~! is an isomorphism between the pomset-trace of r’ and the pomset-trace of r”. 
Pomset isomorphisms are closed under function composition; thus I~! o I, i.e., the identity 
function on {1,...,|r|},is an isomorphism between the pomset-trace of r and the pomset-trace 
of r’. This implies that r and r” are synchronous, completing the proof of the lemma. 7 


An important property of synchronous transition-sequences is that their equal-length pre- 
fixes are also synchronous. 


Definition 6.2.7 Let p be a pomset and e,e’ € Events,. Event e’ is a maximal cause of event 
e in p providing e’ <, e and there is no event e” € Events, such that e’ <, e” <, e. 


Proposition 6.2.8 Let r and r’ be transition-sequences of length n > 0 and let ¢ and t’ be 
transitions of nets N and N’, respectively. Then r.¢ and r’.t’ are synchronous iff 


e rand?’ are synchronous, 
e ¢ and ?#’ have the same label, and 


e the maximal causes of event n+ 1 are the same in the transition-pomsets of r.t and r’.t’. 


The proof is completely straightforward and is left to the reader. 

Thus, in determining whether two pomset-traces “grow” synchronously, it suffices to keep 
track of the correspondence between maximal causes. We now observe that all maximal causes 
will necessarily be the most-recent firings of the corresponding transitions. 


Definition 6.2.9 Let r = t,...t, be a transition-sequence of a net N. Event 7 is a most 
recent firing of transition t in r iff t; = t and t; # t fori < gy <n. Let growth-sites(r) be the 
transition-pomset of r, restricted to the most-recent firings of the transitions in r, cf. Figure 6-3. 


Proposition 6.2.10 Let r=t,...t, be a transition-sequence and t be a transition of a net N. 
Then the maximal causes of event n+ 1 in the visible-pomset of r.t are a subset of the events 
of growth-sites(r). 


Proof. Suppose event ¢ of the visible-pomset of r.t is a maximal cause of event n +4 1. 
Then by the definition of the causal partial ordering, event t must be a proximate cause of 
event n+ 1, and hence transition t; must not be statically concurrent with t. Therefore any 
later firing of ¢;, that is, any event 7 with « < 7 <n and t; = t;, would also be a proximate 
cause of ¢. But since event 7 proximately causes any such event j, this would contradict event 
t being a maximal cause of event n+ 1. r 


We also make the simple observation that the growth-sites of transition-sequence r.t are 
fully determined by ¢ and the growth-sites of r: 
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Proposition 6.2.11 Let r be a transition-sequence and ¢ a transition of a net N. Then 
growth-sites(r.t) = {i € growth-sites(r): rt] A t} U {rd}. 


Proof. Clearly, event |r.t| is the most-recent firing of transition ¢ in r.t. Furthermore, the 
most recent firing of any other transition ¢’ is the same in r and r.t. 7 


It now follows that whether two synchronous runs remain synchronous after firing another 
pair of transitions depends solely on the labels of these transitions, and on whether the causes 
of these transitions are the same in the growth-sites of the respective runs. It will be helpful 
to define a more general growth-site correspondence (gsc) between causes in growth-sites. To 
avoid confusion, we introduce the following terminology: 


Definition 6.2.12 Let p and ¢ be pomsets and let f: p—g be a partial function from Events, 
to Events,. Then p is the source of f, written source(f), and q is the target of f, writ- 
ten target(f). Furthermore, the domain-of-definition of f is the subset of Events, given 
by {e € Events,: f(e) is defined}, and the image of f is the subset of Events, given by 
{e’ € Events,: f(e) = e’ for some e € Events, }. 


Definition 6.2.13 Let r=t,...t, andr’ =t,...U, be transition-sequences of nets N and N’, 
respectively. Then gsc(r,r’) is defined iff r and r’ are synchronous. Furthermore, if r and r’ are 
synchronous, then gsc(r,r’) is the partial identity function {: growth-sites(r)—growth-sites(r’) 
such that 6(¢) = 7 iffi = 7 andi € Events growth-sites(r) OU Events growth-siteqrr) Ch Figure 6- 
3. In particular, growth-sites(r) is the source of gsc(r,r’), and growth-sites(r’) is the target of 
gsc(r, 7’). 


We now state the key observation underlying our decision procedure: the growth-site cor- 
respondence of a pair of runs r.¢ and r’.t’ is determined up to isomorphism by the isomorphism 
class of the growth-site correspondence between r and r’. 


Definition 6.2.14 Let @ and ¥ be partial functions whose source and target are pomsets. We 
say that @ and 7 are isomorphic, written 6 ~ 7, iff there is a pair of functions (J, /) such that 


e / is an isomorphism between source() and source(7), 
e J is an isomorphism between target(3) and target(y), and 
eyol=Jop. 


Lemma 6.2.15 Let r,,r2 be transition-sequences and ¢ a transition of net N; likewise for 
ri,rs,t of net N’. If gsc(ri,r}) & gsc(re,r5), then gsc(ry.t, r}.) © gsc(re.t, rh’). 


Proof. Let (/,J) be the isomorphism between gsc(r1,7r1) and gsc(r2,75), noting that both 
gsc(r,,7r,) and gsc(ro, ri) are defined. 
We define the function I’ to be 


I'(i) _ |ro.t| ifi= |r,.t| 
~ |) Li) if te Events and 2 F |r;.¢| 


growth-sites(r,.t) 
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Figure 6-3: An Example of Growth-Sites and Growth-Site Correspondence 
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and define the function J’ to be 


I'(j) = lri.t'| if 7 = [rit 
a J(j) ifje Events growth-sites(r! t’) and j # |r}.t'| 


By Proposition 6.2.11, /’ and J’ are total functions on Events growth-sites(r:t) and Events growth-sites(r'.t’)> 
respectively. Definition 6.2.9, Proposition 6.2.11, and the properties of J and J imply that J’ is 
an isomorphism between growth-sites(r,.t) and 
growth-sites(ry.t), and J’ is an isomorphism between  growth-sites(r,.t') and 
growth-sites(r.t’). The details are left to the reader. 


In order to prove that gsc(rz.t, r5.l ol’ = J’ogsc(r,.t, r,t’), we first show that gsc(r,.t, rt’) 
is defined iff gsc(rz.t, r5.t’) is defined. For one direction, suppose that gsc(r).t, r}.t') is defined; 
thus, r,.¢ and rj.t’ are synchronous and ¢ and ¢’ have the same label, Furthermore, since 
gsc(r2,75) is defined, we have that ry and r are synchronous and |rz| = |r5|.. By Proposi- 
tion 6.2.8, it remains to show that the maximal causes of event |rz.¢| are the same in the 
transition-pomsets of rj.t and r.t’. For one direction, let event k be a maximal cause of event 
|ro.t| in the transition-pomset of rz.t; Proposition 6.2.10 implies that k € growth-sites(r.). 
Since J is an isomorphism between growth-sites(r;) and growth-sites(rz), it follows that [~'(k) € 
growth-sites(r,) and that event [~'(k) is amaximal cause of event |r,.t| in the transition-pomset 
of r,.t; the details are straightforward but slightly tedious and are left to the reader. Since 
r;.t and r}.t’ are synchronous, Proposition 6.2.8 implies that event [~'(k) is also a maximal 
cause of event |r{.t’| in the transition-pomset of r/.t’, ri[I~'(k)] and ¢’ are not statically concur- 
rent, and [~'(k) € growth-sites(r{). Definitions 6.2.9, 6.2.13, and 6.2.14 and our definition of 
(I, J) then imply that rj [I~'(k)] = r5[JU7'(k))] = r5[k], and so r5[k] and ?’ are not statically 
concurrent; hence, event & must cause event |r}.t'| in the transition-pomset of r}.t’. The other 
direction is analogous, and so the maximal causes of event |rz.¢| are the same in the transition- 
pomsets of rz.t and rj.t’. Thus, by Proposition 6.2.8, r2.t and rj.t’ are synchronous, proving 
that gsc(r2.t,r5.t/) is defined. The proof of the other direction, namely that gsc(r;.t,r}.t') is 
defined whenever gsc(rz.t, r.t’) is defined, is analogous and omitted. 


We now show that gsc(ro.t, r5.t') ol! = J’ 0 gsc(r,.t, rt’). For one direction, let i be some 
event on which gsc(rz.t, r5.t/)ol’ is defined. It then follows by Definition 6.2.13 and the definition 
of I’ that 2 € growth-sites(r;.t), I'(2) € growth-sites(rz.t)N growth-sites(r5.t'), and gse(rs.t, r5.t’) 
is defined; thus, by the above proof, gsc(r,.t, r}.t’) is defined, |r,.t| = |r}.t’|, and |ra.¢| = |r.t’]. 
For one case, suppose that 7 # |r;.t|; then I’(2) = I(2) F |r4.t’| and thus by Proposition 6.2.11, 
? € growth-sites(r,), ['(2) € growth-sites(r2) N growth-sites(r), and ri[I’(i)] # t. Since by 
assumption, gsc(r1, 7) and gsc(rs,r,) are defined and gsc(r2,r,) of = Jo gsc(r, 7), it follows 
that (J o gse(r1,7{))(@) = I’(2). Thus, ? € growth-sites(r), I’(¢) = J(2), and ri[t] = r5[J(a)] = 
ri[1’(2)], and so rj[i] # t/. Proposition 6.2.11 then implies that 2 € growth-sites(r{.t'), and so 
J’ 0 gse(r;.t, rt’) is defined on i. Furthermore, 


(gsc(ro.t, r5.t') o L)(4) = (gse(r2, 75) 0 L(t) = (J 0 gse(ri, 1) (4) = (J! 0 gse(ry.t, ry .f))(4), 


proving this case. The other case is similar and is left to the reader. The proof of the other 
direction is analogous. 7 
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The size of the growth-sites of any transition-sequence of a net is obviously bounded by the 
number of transitions in that net. We can thus easily conclude that the number of isomorphism 
classes of growth-site correspondences between transition-sequences of nets N and N‘is bounded 
by an exponential in the maximum of the number of transitions in N and N’. 


We thus have: 


Theorem 6.2.16 For any finite nets N and N’, there is a deterministic finite-state automaton 
recognizing the set of pairs of synchronous transition-sequences of N and N’. If m and m’ are 
the number of transitions in N and N’, respectively, then the number of states in the automaton 
is bounded by cmaxtmm'}” for some fixed constant c > 1. 


Proof. The states of the automaton are the isomorphism classes of growth-site corre- 
spondences between transition-sequences of N and N’. A state G moves to a state y via a pair 
(¢,t’) of transitions iff @ is the isomorphism class of gsc(r,7r’) and ¥ is the isomorphism class of 
gsc(r.t,r’.t’) for some transition-sequences r and r’ of N and N’, respectively. The start state 
is the isomorphism class of the empty function, and all states are accepting. By Lemma 6.2.15, 
this automaton is deterministic. 

If (41, t,)..-(t,#,) is in the language of the automaton, then by Lemma 6.2.15, the fi- 
nal state reached must be the isomorphism class of gsc(t,...t,,t,...t,). Hence, this growth- 
site correspondence is defined, and so t,...t, and ¢,...t, are synchronous. Conversely, if 
t,...¢, and t,...t, are synchronous, then all their equal-length prefixes are synchronous, and 
so gsc(t,...t;,t,...t/) is defined for all 0<i< kh. Hence, by Lemma 6.2.15 and the definition 
of the automaton, (t,,t,)...(t,,U,) is in its language. = 


Since the runs of a finite net are finite-state recognizable by the (necessarily deterministic) 
transition system of the net itself, and since finite-state recognizable sets are closed under 
intersection and renaming input symbols, we conclude: 


Corollary 6.2.17 For any finite nets N and N’, there is a finite-state automaton whose lan- 
guage is the set of runs r of N for which there is some run r’ of N’ such that r and r’ are 
synchronous. If m and m’ are the number of transitions in N and N’, respectively, and n 
and n’ are the number of places in N and N’, respectively, then the number of states in the 
automaton is bounded by dmax{mm'}*+max{n.n'} for some fixed constant d> 1. 


Proof. The number of states in the deterministic automaton that recognizes the set of 
pairs of runs of N and N’ is b™@*{"."} for some fixed constant b > 1. The intersection of this 
automaton with that of Theorem 6.2.16 has number of states bounded by dmax{m,m’}’+max{n,n'} 
for some fixed constant d > 1. Then renaming each input symbol (t,t’) by symbol t does not 
change the number of states and yields the desired automaton. 7 


It is fairly straightforward to show that such an automaton can in fact be constructed in 
space proportional to the size of its transition table. The desired decidability result then follows 
as a corollary: 


Theorem 6.2.18 The pomset-trace equivalence problem for finite nets without hidden tran- 
sitions can be decided in space exponential in the number of places and transitions in the 
nets. 
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Proof. By Lemma 6.2.6 and Corollary 6.2.17, N Cpt N’ iff the language of the finite-state 
automaton given in Corollary 6.2.17 is the set of all runs of NV. It is easy to construct another 
finite-state automaton, of essentially the same size, recognizing the runs of N. So N Ep, N’ iff 
these automata recognize the same language. But language equivalence is checkable in space 
proportional to the size of the automata [22]. . 


6.2.2 Nets with Hidden Transitions 


We now show how the results above extend to nets which may contain hidden transitions. We 
begin by modifying our definition of “synchronous” to take account of hidden transitions. This 
new definition will coincide with Definition 6.2.5 for nets without hidden transitions. 


Definition 6.2.19 Let r = t,...t, and and r’ = t|...t/, be transition-sequences of nets NV 
and N’, respectively. 

Let a,,,. be the partial function on the integers such that a,,,.(¢) = 7 iff ¢; is the k"" transition 
of r with a visible label and 1; is the k*" transition of r’ with a visible label, for some (necessarily 
unique) k. 

Then r and r’ are synchronous iff a,» is an isomorphism between the visible-pomset of r 
and the visible-pomset of r’. 


In particular, if r and r’ are synchronous, then they have the same number of occurrences 
of visible transitions. 
Lemma 6.2.6 continues to hold for this generalized notion of synchronous: 


Lemma 6.2.20 Let r and r’ be runs of nets N and N’, respectively. If the pomset-traces of r 
and r’ are isomorphic, then there is some run r” of N’ such that 


e the transition-pomsets of r’ and r” are isomorphic, and 


e rand r” are synchronous. 


Proof. The proof extends that of Lemma 6.2.6. Let J be the isomorphism between the 
pomset-trace of r and the pomset-trace of r’, and let g and gq’ respectively be the transition- 
pomsets of r and r’. Clearly, r and r’ must contain the same number, k, of occurrences of 
transitions with visible labels. For 1 < i < k, we define vis,(i) to be the index of the gth 
visible transition-occurrence in r; that is, vis,(7) = m, where r[m] is the (necessarily unique) i? 
transition of r with a visible label. We let v be the sequence of visible transition-occurrences 
obtained from r’ by applying J element-wise to visible transitions of r; that is, v[27] = r’[I(vis,(2))] 
for all 1 <2 < k. We then obtain r” by “padding” » with sequences w; of hidden transition- 
occurrences of r’; each composite sequence w,...w, will contain exactly the hidden transition- 
occurrences of r’ that are necessary for the v[1],...,[¢] to fire. In order to define the w,;, we 
first define z;, for 1 <2 < k, to be the ascending sequence of indices of the “remaining” hidden 
transition-occurrences that causally precede r’[/(vis,(2))]. Furthermore, we define z,4, to be 
the sequence of indices of “left-over” hidden transition-occurrences of r’. 
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z; = the ascending sequence over the set 
{ji <q I(vis,(i)): r'[y] is a hidden transition and j £4 I(vis,(n)) for all n < i} 


Zrii = the ascending sequence over the set 
{j < |r|: r’[j] is a hidden transition and 7 £4 I(vis,(m)) for all n < k} 


We then define r” to be the sequence w,v[1]wev[2]...v[k]we4i, where each w; is the sequence 
of transition-occurrences of r’ corresponding to z;; that is, |w,;| = |z;| and w;[n] = r’[z;[n]] for 
all 1 <n < |z,;|. Hence, for all 1 <i < k, r“[vis,.(2)] = v[2] = rT (vis, (2))]. 

Let 


T(vis,(visni(t))) if r’[Z] is a visible transition 


C(t) = if for some (necessarily unique) n and hidden transition t 
m r"[a] is the n*® occurrence of ¢ in r’”, and 
r'[m] is the n™ occurrence of ¢ in r’ 


It is straightforward but tedious to show that C’ is a label-preserving bijection between the 
transition-pomsets of r” and r’; the details are left to the reader. 

To show that C is an order-isomorphism, it clearly suffices to show that C and C7! preserve 
proximate causes. Suppose that event 2 is a proximate cause of event j in the transition- 
pomset of r”; then i < j and transition r”[?] and transition r”[j] are not statically concurrent 
in N’. Then by definition of r” and C, transition r’[C(i)] and transition r’/[C(j)] are not 
statically concurrent in N’. For one case, suppose that both r”[?] and r’[j] are visible transitions. 
C(j) < C(2) would imply that event Cj) is a proximate cause of event C(2) in the pomset- 
trace of r’; since J is an isomorphism between the pomset-trace of r and the pomset-trace of 
r’, it would follow that event J~'(C'(j)) causes event [~'(C(%)) in the pomset-trace of r, and 
so I-1(C(j)) < I7*(C(2)). Clearly, vis, and vis; are monotone functions, implying that j < i, 
a contradiction. Hence C(z) < C(j), and so event C(t) is a proximate cause of event C(j) in 
the transition-pomset of r’, proving this case. 

For another case, suppose that r’[?] is a hidden transition t, and r’[j] is a visible transition. 
Then for some n, r”[t] is the n occurrence of ¢ in r” and r[C(%)] is the nm‘ occurrence 
of t in r’. Let n’ be the number of occurrences of t preceding r”[j] in r”; clearly, n’ > n 
since i < j. By definition of r”, r’[j] = v[visai(j)]; hence by definition of the z;, there are 
distinct [,,...,dn7 im 20+ 2Zyig-1(y) Such that r’[L],...,7r'[In/] is each an occurrence of ¢. Let / 
be the maximum of /,,.. es lpit from the definition of C and the z,, / > C(j) would imply that 
there is some j’ < j such that r’[C(j‘)] is a visible transition and 1 <, C(j’). Then, clearly, 
O(j) <q Lb <q C(j), and so I(vis,(visai(J))) <q [(vis,(visar(j’))). Since I is an isomorphism 
between the pomset-traces of r and r’, it would follow that vis,(visa/(j)) <q vis,(visn/(j’)), and 
so vis,(visai(j)) < vis,(visn'(j’)). The monotonicity of vis, and vis; would then imply that 
j <j’, a contradiction. Thus, 1 < C(j) after all; now, C(j) < C(i) would imply that there are 
n' > n occurrences of t preceding r/[C(2)] in r’, contradicting the fact that r’[C(2)] is the n‘® 
occurrence of t in r’. Hence C(2) < C(j), and so event C(7) is a proximate cause of event C'(j) 
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in the transition-pomset of r’, proving this case. 

The proofs of the other cases and the other direction are similar, and are left to the reader. 

The proof that r” is a run of N’ is identical to that for Lemma 6.2.6. 

Clearly, vis, o vis7'o I~! is an isomorphism between the pomset-trace of r’ and the pomset- 
trace of r’. Pomset isomorphisms are closed under function composition; thus, vis, 0 visy! o 
I~‘ oT is an isomorphism between the pomset-trace of r and the pomset-trace of r”’. It follows 
easily from the definitions of a,,., vis,, and vis,v that a, 0 = Visp © vis. ', proving that r and 
r are synchronous, and completing the proof of the lemma. : 


The notion of maximal cause must now be sharpened to be a maximal visible cause. 


Definition 6.2.21 Let N be a net, let p be a transition-pomset of N, and let e,e’ € Events,. 
Event e’ is a maximal visible cause of event e in p providing [,(e’) is a visible transition of NV, 
e’ <, e and there is no event e” € Events, such that l,(e”) is a visible transition of N and 
e! <p €” <p €. 


Then Proposition 6.2.8 generalizes as follows: 


Proposition 6.2.22 Let r,7r’ be transition-sequences and let t,t’ be visible transitions of nets 
N,N’, respectively. Then r.t and r’.t’ are synchronous iff 


e rand?’ are synchronous, 
e ¢ and ?#’ have the same label, and 


e a,, restricted to the maximal visible causes of event |r| + 1 in the transition-pomset of 
r.t is a bijection onto the maximal visible causes of event |r’| + 1 in the transition-pomset 
of rt’. 


Also, if ¢ is a hidden transition, then r.t and r’ are synchronous iff r and r’ are synchronous. 


The proof is completely straightforward and is left to the reader. 
The notion of growth-sites extends to hidden transitions as follows: 


Definition 6.2.23 Let r be a transition-sequence of a net N. Let most-recent(r) be the set of 
most recent firings in r of each transition. Let maz-visible-causes(t,r) be the maximal visible 
causes (in the transition-pomset of r) of the most recent firing in r of transition t. Then 
growth-sites(r) is the restriction of the transition-pomset of r to 


most-recent(r) U | {maz-visible-causes(t, r):tis a hidden transition}. 
As before, the maximal causes will necessarily be a subset of the events in the growth-sites: 


Proposition 6.2.24 Let r =¢,...t, be a transition-sequence and t be a visible transition of 
a net N. Then the maximal causes of event n + 1 in the visible-pomset of r.t are a subset of 
the events of growth-sites(r). 
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Proof. Suppose event i of the visible-pomset of r.¢ is a maximal cause of event n+ 1. For 
one case, suppose that event 7 is also a maximal cause of n+ 1 in the transition-pomset of r.t; 
then % € most-recent(r) by a proof identical to that of Proposition 6.2.10. For the other case, 
there must be some event k in the transition-pomset of r.t such that ¢t, is a hidden transition, 
event 7 causes event k, and event & is a maximal cause of event n+ 1. It follows by the same 
reasoning as in the proof of Proposition 6.2.10 that event & must be the most-recent firing of 
transition ¢, in r. Therefore, event 2 not being in growth-sites(r) would imply that event 7 is 
not a maximal visible cause of event &. There would thus be some event j in the transition- 
pomset of r such that ¢; is a visible transition, event 7 causes event 7, and event 7 causes event 
k. But this would contradict event 2 being a maximal cause of n+1 in the visible-pomset of r.t. m 


We now observe that the growth-sites of transition-sequence r.t are fully determined by ¢, 
the growth-sites of r, and the static concurrency relation of \V: 


Proposition 6.2.25 Let r be a transition-sequence and t a transition of a net N. Then an 
event 7 is a visible cause of event |r.¢| in the transition-pomset of r.t iff i € growth-sites(r), r[?] 
is a visible transition, and there is some event 7 € growth-sites(r) such that transition r[j] and 
t are not statically concurrent, and either event 7 causes event 7 in growth-sites(r) or 7 = j. 
Furthermore, an event 7 is a maximal visible cause of event |r.t| in the transition-pomset of r.t 
iff event 7 is a visible cause of event |r.t| in the transition-pomset of r.t and there is no event 
k € growth-sites(r) such that event i causes event k in growth-sites(r) and event k is a visible 
cause of event |r.¢| in the transition-pomset of r.t. 


The proposition is a straightforward consequence of Proposition 6.2.10; the details are left 
to the reader. 


Proposition 6.2.26 Let r = t,...¢, bea transition-sequence of anet N. Then most-recent(r) = 


{i € growth-sites(r): there is no event 7 € growth-sites(r) 
such that 7 > 7% and l growth-sitesr)(?) = lgrowth-siter)(J)5 


Furthermore, maz-visible-causes(t,, 7) = 


{i € growth-sites(r): there is some event 7 € most-recent(r) 
such that lgrowth-sitesr) (J) = t, and 
event 27 is a maximal visible cause of event 7 
in growth-sites(r)} 
The proposition is a simple consequence of Definition 6.2.23; the details are left to the 
reader. 


Proposition 6.2.27 Let r be a transition-sequence and ¢ a transition of a net N. Then 
growth-sites(r.t) = 


{|r.t|} U {2 € growth-sites(r): either 7 € most-recent(r) and r[i] 4 t 
or i € maz-visible-causes(t’, r) 
for some hidden transition t’ # ¢ 
or i € maz-visible-causes(t, r.t) 
and t is a hidden transition } 
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Proof. Clearly, event |r.t| is the most-recent firing of transition ¢ in r.t, and the most- 
recent firing of any other transition is the same in r and r.t. Furthermore, the maximal visible 
causes of the most-recent occurrence of any hidden transition other than ¢ are the same in the 
transition-pomsets of r and r.t, from which the highlighted equality immediately follows. : 


As an immediate consequence of the preceding three propositions, we have: 


Proposition 6.2.28 Let r be a transition-sequence and ¢ a transition of a net N. Then 
growth-sites(r.t) is fully determined by t, growth-sites(r), and the static concurrency relation of 


N. 


Our definition of growth-site correspondences is also modified accordingly; this new defini- 
tion will coincide with Definition 6.2.13 for nets without hidden transitions. 


Definition 6.2.29 Let r and r’ be transition-sequences of nets N and N’, respectively. Then 
gsc(r,r’) is defined iff r and r’ are synchronous. Furthermore, if r and r’ are synchronous, then 
gsc(r,r’) is the 1-1 partial function 

2: growth-sites(r)— growth-sites(r’) such that 


graph(B) = graph( ay) A (Events; gro wth-sitesr)) x Events growth-sitesr’))): 


In particular, growth-sites(r) is the source of gsc(r,r’), and growth-sites(r’) is the target of 
gsc(r, 7’). 


Again, the growth-site correspondences are significant only up to isomorphism: 


Lemma 6.2.30 Let r,,7r2 be transition-sequences of net N and let r, 74 be transition-sequences 
of net N’. If gse(ri,r}) © gsc(r2, 75), then 


0 gsc(ry.t,r).t’) & gse(re.t,r5.’) for any pair of visible transitions t and t of N and N’, 
respectively. 


e gsc(r).t,r)) © gsc(r2.t,r5) for any hidden transition t of NV. 
e gsc(r1,7).t') & gsc(re, rt’) for any hidden transition t’ of N’. 


The proof is a straightforward but tedious adaptation of the proof of Lemma 6.2.15 and 
uses Definitions 6.2.1, 6.2.19, 6.2.23, and 6.2.29, and Propositions 6.2.22, 6.2.28, and 6.2.24, 
instead of the corresponding definitions and propositions in the previous section. The details 
are left to the reader. 

We note that it follows from Definition 6.2.23 that the size of the growth-sites of any 
transition-sequence of a net is bounded by the square of the number of transitions in that net. 

We remark that, in order to allow hidden transitions to move independently, the alphabet 
of the automaton of Theorem 6.2.16 is generalized to pairs (uw, wu’), where either wu and wu’ are 
both visible transitions of the respective nets, or exactly one of wu and wu’ is a hidden transition 
of the respective net and the other is a special symbol e. We refer to any sequence w of such 
pairs as a e-pair-sequence, and for 7 = 1,2, we write proj;(w) to denote the projection of w 
onto its 2** component alphabet, with all occurrences of ¢ omitted. 
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Theorem 6.2.31 For any finite nets N and N’, there is a deterministic finite-state automaton 
recognizing the set of pairs of synchronous transition-sequences of N and N’. If m and m’ are 
the number of transitions in N and N’, respectively, then the number of states in the automaton 
is bounded by cmaxtmm'}" for some fixed constant c > 1. 


Proof. The states of the automaton are the isomorphism classes of growth-site corre- 
spondences between transition-sequences of N and N’. A state @ moves to a state y via a pair 
(¢,t') of transitions iff @ is the isomorphism class of gsc(r,r’) and ¥ is the isomorphism class of 
gsc(r.t, r’.t’) for some transition-sequences r and r’ of N and N’, respectively. A state 3 moves 
to a state y via a pair (t,¢) iff @ is the isomorphism class of gsc(r,r’) and 7 is the isomorphism 
class of gsc(r.t,r’) for some transition-sequences r and r’ of N and N’, respectively; a similar 
definition applies to pairs (¢,¢’). The start state is the isomorphism class of the empty function, 
and all states are accepting. By Lemma 6.2.30, this automaton is deterministic. 

If w = (uy, u,)...(ug, u,) is in the language of the automaton, then by Lemma 6.2.30, 
the final state reached must be the isomorphism class of gsc(proj,(w), projo(w)). Hence, this 
growth-site correspondence is defined, and so proj,(w) and proj.(w) are synchronous. Con- 
versely, if proj;(w) and proj2(w) are synchronous, then 
gsc( proj, (w’), projo(w’)) is defined for all prefixes w’ of w. Hence, by Lemma 6.2.30 and the 
definition of the automaton, w is in its language. 7 


As before, we conclude: 


Corollary 6.2.32 For any finite nets N and N’, there is a finite-state automaton whose lan- 
guage is the set of runs r of N for which there is some run r’ of N’ such that r and r’ are 
synchronous. If m and m’ are the number of transitions in N and N’, respectively, and n 
and n’ are the number of places in N and N’, respectively, then the number of states in the 
automaton is bounded by dmax{mm'}"+max{n.n'} for some fixed constant d> 1. 


Proof. The number of states in the deterministic automaton whose alphabet consists of 
e-pairs and that recognizes the set of pairs of runs of N and N’ is b™@xt.”'} for some fixed 
constant 6 > 1. The intersection of this automaton with that of Theorem 6.2.31 has number 
of states bounded by dmaxtmm'}"+maxtn.n'} for some fixed constant d > 1. Then renaming each 
input symbol (t, t’) by symbol ¢, renaming each input symbol (t,e) by ¢, and renaming each in- 
put symbol (e,t’) by ¢ does not change the number of states and yields the desired automaton. m 


The earlier argument without hidden transitions now carries over: 


Theorem 6.2.33 The pomset-trace equivalence problem for finite nets that may contain hid- 
den transitions can be decided in space exponential in the number of places and transitions in 
the nets. 


Proof. Since, language equivalence of automata with ¢-moves is decidable in space pro- 
portional to the size of the automata [22], the proof of the theorem is identical to that of 
Theorem 6.2.18, except that it uses Lemma 6.2.20 and Corollary 6.2.32. : 
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6.3. History-Preserving Bisimulation and Pomset-Bisimulation 


In this section, we assume that all nets may contain 7-labeled transitions. We begin by defining 
history-preserving bisimulation on nets. Our definition induces the same equivalence as that of 


[5, 35, 39, 50, 46). 


Definition 6.3.1 A set 1 of triples of the form (r,7r’, f) is a history-preserving bisimulation 
between nets N and N’ iff 


1. If(r,r’, f) € H, then r and r’ are runs of N and N’, respectively, and f is an isomorphism 
between pomset-trace(r) and pomset-trace(r’). 


2. (€,¢,0) © H, where ¢ is the empty transition-sequence. 


3. If (r,7’, f) € H and rt is a run of N, then there is some, possibly empty, sequence of 
transitions t, ...¢/, and some function f’ such that 
((r.t), (rt, ...t,),f) € H and f’ restricted to pomset-trace(r) equals f. 


A. If (r,r’, f) © H and r’.t’ is a run of N’, then there is some, possibly empty, sequence of 
transitions ¢, ...¢, and some function f’ such that 
((r.t,...&,),(rU), f) © H and f’ restricted to pomset-trace(r) equals f. 


Vogler [46, 48] has given an alternate characterization of history-preserving bisimulation 
based on partially ordered sets of places, together with a decidability result. We give an alternate 
proof based on the approach presented in Section 6.2. We recall that the finite automaton 
described in Theorem 6.2.31 is deterministic, and we let update refer to its state-transition 
function. Furthermore, for any e-pair-sequence w and any gsc 2, we write update(f,w) to 
mean the successive application of update to each of the pairs in w. For any net N, we write 
init(.N) to denote the initial marking of NV. 


Definition 6.3.2 A set G of triples of the form (M, M’, 3) is an gsc-bisimulation between nets 
N and N’ iff 


1. If (M, M’', 8) €G, then M and M’ are markings of N and N’, respectively, and { is an 
isomorphism class of growth-site correspondences between N and N’. 


2. (init(N), init(N’),0) € G. 


3. If (M, M’',3) €G and M[t)M, for some transition t and some marking M,, then there is 
some marking Mj; and some e-pair-sequence w such that proj,(w) = t, M'[projo(w)) Mj 


and (M,, Mj, update(3, w)) € G. 


4. Vice-versa; if (M,M’', 3) © G and M'{t’)M) for some transition t/ and some marking M/, 
then there is some marking M, and some e-pair-sequence w such that projo(w) = t, 


M[proji(w))M, and (M,, Mj, update(3,w)) € G. 


Lemma 6.3.3 Nets are history-preserving bisimilar iff they are gsc-bisimilar. 
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Proof. For one direction, let H be a history-preserving bisimulation between nets N and 
N’. Let 


G = {(M, M',gscr,r’)): (r, 7’, gse(r,r')) € H, init( N)[r)M and init(N')[r’) M’}. 


Property (1) and (2) of Definition 6.3.2 follow easily from Definition 6.2.29 and Definition 6.3.1; 
the details are left to the reader. To prove property (3), let (7, MW’, 3) € G and let transition t 
and marking M, be such that M[t)M,. Clearly, there must be some (r,7r’, gsc(r,r’)) € H such 
that § = gsc(r,r’), init(N )[r)M, and init(.N’)[r’)M’. By Definition 6.3.1, r.tis a run of NV, and 
so property (3) of Definition 6.3.1 implies the existence of some, possibly empty, sequence of 
transitions t,...t), and some function f’ such that ((r.t), (rt, ...t,), f/) © H and f’ restricted 
to pomset-trace(r) equals gsc(r,r’). Definition 6.3.1 implies that f’ is an isomorphism between 
the pomset-traces of r.t and r’.t)...t,, from which it then follows easily from Definition 6.2.29 
that f’ = gsc(r.t,r’.t,...t,). The definition of e-sequences, the definition of update, and the 
definition of G then immediately imply that property (3) of Definition 6.3.2 must hold for G. 
A similar proof holds for property (4), and hence G is a gsc-bisimulation. 

For the other direction, let G be a gsc-bisimulation between nets N and N’. We define the 
set of triples H inductively as follows. For the basis step, let 7 = {(¢,¢,0)}. For one inductive 
step, if (7,7, f) € H, and for some f, t ...th, 


1. r.tis arun of N, r’.t,...t, is a run of N’, and 
2. (M, M’, gsc(r.t, rt) ...t,)) € G, where init(.N )[r.t)M and init(.N’)[r’.t) ...0,)M’, 


then (rt, rt... t, Ortrrt! ot) © A. 
For the other inductive step, if (r,r’, f) € H, and for some t, ...t,, , 


1. rt,...t, is arun of N, r’.t’ is a run of N’, and 
2. (M, M’, gsc(r.ty ...th, 7’) € G, where init(.N )[r.t,...t,)M and init(.N’)[r.t).M’, 


then (rt). ..th 1, Opty rit!) © He. 

By the definition of gsc and the a, it is clear that properties (1) and (2) of Definition 6.3.1 
hold for H. To prove (3), suppose that (r,r’, f) € Hand r.tisarun of N. Then (M, M’, gsc(r,r’)) € 
G, where init( N)[r)M and init(.N’)[r’)M’. Let M, be the marking such that init(.N)[r.t)M). 
Then by the definition of gsc-bisimulations, there is some marking Mj; and some e-pair-sequence 
w such that proj,(w) = t, M'[projo(w)) Mj and (M,, M{, update(gsc(r, 1’), w) € G. Let projo(w) = 
t,...t,; then by definition, update(gsc(r, r’), w) is isomorphic to gsc(r.t, rt, ...t,), 
so (rt, rth .. ty QUptrtttt!) € H. It is easy to see by the definition of a that On trhtt a, Te 
stricted to the pomset-trace of r is equal to a,., which is in turn equal to f, proving this case. 
The proof of (4) is analogous. = 


As in Section 6.2.2, it is easy to see that for any finite net, the number of triples (7, M’, 3) 
is bounded by an exponential in the sizes of the nets. We use this fact in our decision procedure: 


Theorem 6.3.4 For finite nets that may contain hidden transitions, history-preserving bisim- 
ulation can be decided in deterministic time exponential in the number of places and transitions 
in the nets. 
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Proof. The algorithm to decide history-preserving bisimulation of nets N and N’ is similar 
to the decision procedure for (interleaving) bisimulation by successive refinement. We start with 
a set Go that contains all possible triples, and each step, we shrink this set. Specifically, we 
define inductively: 


Go = {(M,M’',3): M, M’ are markings of N,N’, 
and (3 is a gsc-isomorphism class between N and N’} 
Gia1 = {(M,M’',8) €G;: for every transition ¢ and marking M, with M[t)M,, 


there is some marking M; and some e -pair-sequence w 
such that proj,(w) = t, M’[proje(w)) Mi, 
and (M,, Mj, update(3, w)) € G; 


and vice-versa} 
We now show that N and N’ are gscbisimilar iff 
(init(.N), init(N'),0) € G 


for any & that exceeds the number of possible triples (M, M’, 3). For one direction, let G’ be a 
gsc-bisimulation between NV and N’. Using Definition 6.3.2, a simple induction on 2 shows that 
G' CG; for all i > 0. Since Definition 6.3.2 implies that (init(.N), init(N’),0) € G’, we have 
that (init(.N), init(N’),0) € G,, as desired. For the other direction, we observe that for all ¢, 
G41 is either a strict subset of G; or G; = G; for all 7 > 2. Since k is greater than the number 
of triples, it immediately follows that G, = G.4,. Thus, by Definition 6.3.2 and the definition 
of the G;, Gz is a gsc-bisimulation whenever it contains (init(.N), init(.N’), 0). 

We observe that & is easily bounded by an exponential in the sizes of N and N’. It is also 
easy to check that G, can be computed in DEXPTIME in the size of N and N’ (using a transitive 
closure technique as in [26] to calculate the existence of a e-pair-sequence w). Thus, it can be 
checked in deterministic time exponential in the number of places and transitions in N and N’ 
whether (init(.N), init(.N’),0) € G,, and hence the theorem follows easily from Lemma 6.3.3. m 


We now define pomset-bisimulation. Our definition induces the same equivalence as that of 


[6, 39, 50). 


Definition 6.3.5 A set P of pairs of the form (M, M’) is a pomset-bisimulation between nets 
N and N’ iff 


1. If (M, M’) € P, then M and M’ are markings of N and N’, respectively. 
2. (init(.N), intt(N’)) € P. 


3. If (M,M’') € P and M[r)M, for some transition-sequence r and some marking M,, then 
there is some transition-sequence r’ and some marking M; such that the pomset-traces 
of r and r’ are isomorphic, M’[r’) Mj, and (M,, Mj) € P. 


4. Vice-versa; if (M,M’) € P and M'[r’) M{ for some transition-sequence r’ and some mark- 
ing Mj), then there is some transition-sequence r and some marking M, such that the 
pomset-traces of r and r’ are isomorphic, M[r)M,, and (M,, Mj) € P. 
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Theorem 6.3.6 For finite nets that may contain hidden transitions, pomset-bisimulation can 
be decided in space exponential in the number of places and transitions in the nets. 


Proof. The algorithm to decide pomset-bisimulation of nets NV and N’ is also by successive 
refinement. We start with a set Pp that contains all possible pairs, and each step, we shrink 
this set. Specifically, we define inductively: 


Po = {(M,M’): M,M' are markings of N, N’} 


Pink = {(M,M’') © P;: for every transition-sequence r and marking M, with M[r)M,, 
there is some transition-sequence r’ and some marking Mj 
such that the pomset-traces of r and r’ are isomorphic, 
M'[r') Mj, and (M,, M1) € P; 


and vice-versa} 
It is straightforward to show that N and N’ are pomset-bisimilar iff 
(init(.N), init(.N')) € Py 


for any & that exceeds the number of pairs, and this number is easily bounded by an exponential 
in the sizes of N and N’. To compute each P;,;, we use the following straightforward modifi- 
cation of the decision procedure for pomset-trace equivalence. For each pair (M, M’) € P,, let 
Ny be N, except that the initial marking of Nyy is M (rather than init(.N)); net Nj,, is defined 
similarly. As in the proof of Corollary 6.2.32, we intersect the automaton that recognizes the 
set of pairs of runs of Nyy and Nj,, with the automaton of Theorem 6.2.31 constructed for Nay 
and Ni,,. Each state of the resulting automaton is a pair of the form (f,(M,, M{)), where M, 
is a state of Ny and Mj is a state of Ni,,. For each state (3,(M,, M{)), we now add a new M,- 
labeled transition iff (M1, M{) € P;; all such transitions lead to a single new, accepting state. 
All other states of the automaton are defined to be non-accepting. We then relabel the other 
transitions (w, u’) as in the proof of Corollary 6.2.32. Thus, the language of this automaton is 
all pairs (r, M,) of runs r and corresponding final marking M, of Ny for which there is some 
run r’ and corresponding final marking M/, of Ny,, such that r and r’ are synchronous and 
(M,,M/_) € P;. It is easy to see that the transition table of this modified automaton remains 
exponential in the sizes of N and N’. (An similar automaton is also constructed whose language 
is all pairs (r’, M/,) of runs r’ and corresponding final marking M/, of Nj4,, for which there is 
some run 7 and corresponding final marking M, of Ny, such that r and r’ are synchronous and 
(M,, ML) € P;.) 

By Proposition 6.2.4, Definition 6.2.19, and Lemma 6.2.20, it is then straightforward to 
show that (M, M’') € Pi4, iff (1) the language of the finite-state automaton given above is the 
set of all pairs (r, M,) such that r is a run of Ny and M[r)M,, and (2) the language of the 
similar automaton constructed for N4,, is the set of all pairs (7’, M,.) such that r’ is arun of Nj, 
and M'[r’)M,.. It is easy to construct other finite-state automata of essentially the same size, 
recognizing the set of such pairs (r, M,) or the set of such pairs (r’, M,-). So (M,M’) € Pisi 
iff each of the two appropriate pairs of automata recognize the same language. Since language 
equivalence is checkable in space proportional to the size of the automata [22], each P; can be 
computed in space exponential in the size of N and N’, and hence so can P,. : 
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6.4 Deciding Other True Concurrency Equivalences 


Since the transition system of a net is a finite-state automaton, the decision procedures for the 
interleaving trace, failure and bisimulation equivalences for nets follow directly from the results 
of Kanellakis& Smolka [26] for finite-state automata. 


Theorem 6.4.1 For finite nets that may contain hidden transitions, the trace equivalence 
problem and the failure equivalence problem can be decided in space which is a product of an 
exponential in the number of places in the nets and a polynomial in the number of transitions 
in the nets. Furthermore, the bisimulation problem, the delay bisimulation problem, and the 
branching bisimulation problem can be decided in deterministic time which is a product of an 
exponential in the number of places in the nets and a polynomial in the number of transitions 
in the nets. 


Proof. The transition system of a finite net is a deterministic finite-state automaton 
whose states correspond to the reachable markings of the net and whose transitions correspond 
to transitions of the net. Let m and m’ be the number of transitions in N and N’, respectively, 
and let n and n’ be the number of places in N and N’, respectively. Then the maximum of the 
number of transitions in these automata is bounded by m-2™°*t™""} and the maximum of the 
number of states in these automata is bounded by 2™*t™"'}, Clearly, relabeling each visible 
transition t with the label of ¢ and relabeling each hidden transition ¢’ with ¢ does not change 
the sizes of the automata. 

By definition, the finite nets are trace, failures, or bisimulation equivalent iff these finite-state 
automata with ¢-moves are respectively trace, failures, or bisimulation equivalent. Trace equiv- 
alence of finite-state automata is checkable in space proportional to the size of the automata 
[26], while bisimulation equivalence is checkable in PTIME [26], as are delay bisimulation and 
branching bisimulation [17]. The decision procedure for divergence-respecting failures equiv- 
alence [9] of finite-state automata is a straightforward generalization of Kannelakis&Smolka’s 
PSPACE decision procedure for divergence-blind failures equivalence. : 


The decision procedures for most of the other true concurrency equivalences in Table 6.1 
then follow from reductions to the corresponding interleaving equivalences, which are part of 
known full abstraction proofs [23, 25, 47, 49]. 


Theorem 6.4.2 For finite nets that may contain hidden transitions, the step-trace equivalence 
problem and the step-failure equivalence problem can be decided in space exponential in the 
number of places and transitions in the nets. Furthermore, the step-bisimulation problem can 
be decided in deterministic time exponential in the number of places and transitions in the nets. 


Proof. By a known full abstraction result [25], there is a context C]-] involving only a 
self-synchronization operator [25] such that nets N and N’ are step-trace, step-failures, or step- 
bisimulation equivalent iff the nets C[N] and C/N’) are respectively trace equivalent, failures 
equivalent, or bisimulation equivalent. In particular, C[-] adds a new transition for every set of 
pairwise statically concurrent transitions, and does not add any new places. 
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Let m and m’ be the number of transitions in N and NN’, respectively, and let n and n’ be 
the number of places in N and N’, respectively. Then the maximum of the number of transi- 
tions in C[N] and C[N’] is bounded by 2}, and the maximum of the number of places 
in C[N] and C[N’] is bounded by max{n,n’}. The proof then follows easily by Theorem 6.4.1. m 


The decision procedure for interval-pomset-trace equivalence and interval-pomset-failure 
equivalence relies on a full abstraction result involving action refinement: 


Theorem 6.4.3 For finite nets that may contain hidden transitions, the interval-pomset-trace 
equivalence problem and the interval-pomset-failures equivalence problem can be decided in 
space exponential in the number of places and transitions in the nets. 


Proof. By known full abstraction results [23, 47], there is a context C]-] built from 
split and choice refinements such that nets N and N’ are interval-pomset-trace equivalent or 
interval-pomset-failures equivalent iff the nets C[N] and C[N’] are respectively trace equivalent 
or failures equivalent. In particular, CJ-] refines every visible transition by the net af.ayj +...+ 
aj .a;, where a is the label of the visible transition and k is bounded by the maximum of the 
number of transitions in N and N’. 

Let m and m’ be the number of transitions in N and N’, respectively, and let n and n’ be the 
number of places in N and NV’, respectively. Then the maximum of the number of transitions in 
C[N] and C[N’] is bounded by 2-max{m, m’}° + 1, and the maximum of the number of places 
in CIN] and C[N’] is bounded by max{n, n'} + max{m, m’'}°. The proof then follows easily by 
Theorem 6.4.1. 7 


Vogler [49] has shown that the interval-pomset equivalences coincide with the ST-equivalences 
[39, 42]. We have as an immediate consequence: 


Theorem 6.4.4 For finite nets that may contain hidden transitions, the ST-trace equivalence 
problem and the ST-failure equivalence problem can be decided in space exponential in the 
number of places and transitions in the nets. Furthermore, the ST-bisimulation problem can be 
decided in deterministic time exponential in the number of places and transitions in the nets. 


Proof. The proofs for ST-traces and $T-failures is identical to that of Theorem 6.4.3, 
while the proof for ST-bisimulation uses the same context C[-] to yield a reduction to bisimu- 
lation. The desired upper bound then follows by Theorem 6.4.1. : 


Using the decision procedure for history-preserving bisimulation, a similar result holds for 
maximality-preserving bisimulation [13]: 


Theorem 6.4.5 For finite nets that may contain hidden transitions, the maximality-preserving 
bisimulation problem can be decided in deterministic time exponential in the number of places 
and transitions in the nets. 


Proof. Let C[-] be the net context involving split and choice refinements given in the 
proof of Theorem 6.4.3. Then by a proof similar to that of [45], nets N and N’ are maximality- 
preserving bisimilar iff the nets C[N] and C[N’] are history-preserving bisimilar. The theorem 
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is then a simple consequence of Theorem 6.3.4. : 


Lastly, our decision procedure for pomset-bisimulation yields one for pomset-ST-bisimulation [50]: 


Theorem 6.4.6 For finite nets that may contain hidden transitions, the pomset-ST-bisimulation 
problem can be decided in space exponential in the number of places and transitions in the nets. 


Proof. Let C[-] be the net context involving split and choice refinements given in the 
proof of Theorem 6.4.3. Then by a proof similar to that of [45], nets N and N’ are pomset- 
ST-bisimilar iff the nets C[N] and C[N’] are pomset-bisimilar. The theorem is then a simple 
consequence of Theorem 6.3.6. 7 


6.5 Lower Bounds 


The lower bounds for trace equivalence and bisimulation essentially follow from previous results 
of Mayer&Stockmeyer on Mazurkiewicz nets and regular expressions with interleaving. In 
particular, Mayer&Stockmeyer [29] have shown the EXPSPACE-hardness of deciding whether the 
language of a regular expression with interleaving is &*. Our EXPSPACE lower bound for trace 
equivalence of finite 1-safe Petri nets follows by a polynomial-time reduction. For expository 
simplicity, we first give the proof for nets that may contain hidden transitions. 


Theorem 6.5.1 The problem of deciding whether the language of a regular expression with 
interleaving is %* is polynomial-time reducible to trace equivalence of finite nets that may 
contain hidden transitions. 


Proof. Let » be a finite alphabet consisting only of visible labels, and let \/ ¢ % bea 
visible label. For any regular expression r over © built from {U, +,-,||}, we give an inductive 
translation to finite l-safe nets with labels from UU {7, /}. Each of these nets will have exactly 
one \/-labeled transition, and the post-set of this transition will be empty. 

The translation, net, uses net operators defined in [23]; we do not repeat the definitions 
here. However, we slightly modify the internal choice operator presented there to ensure that 
the resulting nets always have exactly one ,/-labeled transition. This in turn guarantees that 
the translation net can be performed in polynomial-time; that is, for any regular expression 
r with interleaving, the net net(r) can be constructed in deterministic time polynomial in the 
number of symbols in r. 

For every a € %, a is the net corresponding to a.,/. The - operator is modeled by the 
sequencing operator on nets. The * operator applied to a net N adds the initially marked 
places of N to the post-set of its /-labeled transition, relabels the \/-transition with 7, and 
hooks up a single new ,/-labeled transition to the set of initially marked places of N. The union 
operator applied to nets N and N’ is modeled by the internal choice operator on nets except 
that in addition, the \/-labeled transitions of N and N’ are relabeled by 7, one common new 
place is added to the postset of both of these relabeled transitions, and this new place feeds into 
anew ,/-labeled transition. The interleaving operator applied to nets N and N’ is modeled by 
the non-communicating parallel composition operator on nets, in which N and N’ are simply 
placed side by side but required to synchronize on \/-labeled transitions. We note that since all 
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nets in the target of net have exactly one \/-labeled transition, the non-communicating parallel 
composition operator takes only a trivial cross-product of the \/-labeled transitions and hence 
adds no extra transitions (or places). This ensures that net is a polynomial-time translation in 
the length of r. 

It is straightforward to show by induction that each of the nets in the target of net will 
immediately reach a deadlocked state whenever its (necessarily unique) \/-labeled transition 
fires. Furthermore, this \/-labeled can be fired from any reachable marking, after first perform- 
ing a finite, possibly empty, sequence of other transitions. For any regular expression r with 
interleaving, it follows by a simple induction that 


L(r) = {v € &* | vy/ is a trace of net(r)}, 


where L(r) is the language of r. 

Let Ny» be the finite net with exactly |%|+1 transitions, each uniquely labeled from NU{/}, 
and exactly one place, which is initially marked and is in the preset of all the transitions and in 
the post-set of all the transitions not labeled with \/. The set of traces of Ny» is the prefix closure 
of &*-./. We show that for any regular expression r with interleaving, L(r) = X* iff net(r) 
and Ny» are trace equivalent. One direction follows immediately from the equality highlighted 
above. For the other direction, suppose E(r) = \*. Since firing the \/-labeled transition 
immediately puts net(r) in a deadlocked state, clearly the traces of net(r) are contained in the 
traces of Ny». For the reverse containment, it follows immediately from the highlighted equality 
that the set &*- / is contained in the traces of net(r). Since traces are prefix-closed, the set 
&* is also contained in the traces of net(r), and so net(r) and Ny« are trace-equivalent. 

This is a polynomial-time reduction from deciding whether the language of a regular ex- 
pressions with interleaving is &* to trace equivalence of finite nets with hidden transitions. 


We then have as a corollary: 


Theorem 6.5.2 For finite nets that may contain hidden transitions, trace equivalence is EXPSPACE- 


hard. 


We now modify the proof of Theorem 6.5.1 to yield the lower bound for trace equivalence 
of finite nets without hidden transitions. 


Theorem 6.5.3 The problem of deciding whether the language of a regular expression with 
interleaving is &* is polynomial-time reducible to trace equivalence of finite nets without hidden 
transitions. 


Proof. Let net be the translation defined in the proof of Theorem 6.5.1, and let 1 ¢ 
(U* U {./}) be a visible label. For any regular expression r with interleaving, we define a new 
translation Net from net(r) as follows: first, we relabel all 7-labeled transitions in net(r) with 
the label 1, then for every place s in net(r), we add a new 1-labeled transition and put it in 
the preset and postset of the place s (i.e., in a self-loop under s). Net(r) is defined to be the 
resulting net, and clearly can be constructed in polynomial time in the length of r. Furthermore, 
Net(r) satisfies all the properties of ned(r) specified in the proof of Theorem 6.5.1 concerning 
markings and \/-labeled transitions. The labeled transition system of Net(r) is identical to that 
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of net(r), except that all 7-labeled transitions are replaced by 1-labeled transitions, and every 
state has a 1-labeled transition trivially looping back to itself. 

It is straightforward to show by induction that for any regular expression r with interleaving, 
net(r) can perform at most 4-|r| consecutive r-moves, where |r| is the number of symbols in r. 
By construction of Ne#(r), it then follows that: 


L(r) = fay...a, € S* {alae . ait! is a trace of Net(r)}. 


For any regular expression r with interleaving, let N, be the finite net with 4- |r| + |©|+1 
transitions and 4-|r|+1 places, whose set of traces is the prefix-closure of (14 !"!.")*-14!"l.//; 
the intended definition of N, is obvious and omitted. By reasoning similar to that of the proof 
of Theorem 6.5.1, it follows that L(r) = X* iff the set of traces of Net(r) contains the set of the 
traces of N,. The details are left to the reader. 

To reduce trace-containment to trace equivalence, we observe that for any nets N; and No, 
the set of traces of N, contains the set of traces of No iff the net (My surya3 No») and the 
net Ne. are trace equivalent, where sury,a} is a parallel composition operator which requires 
synchronization on (visible) labels and hence corresponds to trace intersection. Furthermore, 
the size of N, sury.a3 Nz is polynomial in the sizes of N, and No, giving a polynomial-time 
reduction from trace containment to trace equivalence, and proving the theorem. : 


We then have as a corollary: 
Theorem 6.5.4 For finite nets without hidden transitions, trace equivalence is EXPSPACE-hard. 


Using these results, we obtain a lower-bound for failures equivalence; the proof is very 
similar to that of Kanellakis&Smolka [26] for finite-state automata. 


Theorem 6.5.5 For finite nets without hidden transitions, trace equivalence is polynomial- 
time reducible to failures equivalence. 


Proof. For any finite nets N,; and N» without hidden transitions, let N/ be constructed 
by adding to N; a single new, initially marked place, spew, which is placed in the preset and 
post-set of every transition of N;. The labeled transition system of N/ is isomorphic to that 
of N;. Now, N,’ is constructed by adding to N/ a new a-labeled transition t,, for every visible 
label a, and hooking up each ¢, so that its post-set is empty and its preset contains only the 
place spew. All of the ¢, are enabled under every reachable marking of N/, and firing any one 
of them puts N/’ in a deadlocked state. 

N, and Nz are trace equivalent iff Nj‘ and N3’ are failures equivalent; the proof is identical 
to that of Kanellakis&Smolka [26] and is omitted. This is a polynomial-time reduction from 


trace equivalence to failures equivalence. : 


We then have as a corollary: 
Theorem 6.5.6 Failures equivalence of finite nets is EXPSPACE-hard. 


Our proof of a DEXPTIME lower bound for bisimulation is a simple adaptation of Stock- 
meyer’s result [36] for Mazurkiewicz nets: namely, we reduce the acceptance problem for 
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polynomial-space Alternating Turing Machines to the bisimulation problem for finite 1-safe 
Petri nets. In particular, we simulate the tape and finite-state control of polynomial-space 
Alternating Turing Machines by polynomial-time constructible 1-safe Petri Nets, and our re- 
duction to bisimulation is essentially identical to that of Stockmeyer. Since Mazurkiewicz nets 
are somewhat more succinct than l-safe Petri Nets, our lower bound for bisimulation is a minor 
technical improvement of the results of Stockmeyer. 


Theorem 6.5.7 The acceptance problem for polynomial-space Alternating Turing Machines 
is polynomial-time reducible to bisimulation of finite nets. 


Proof. Let A be an alternating Turing Machine that, for some polynomial p, uses 
p(n) space on input of size n. A well-known property of polynomial-space alternating Turing 
Machines is that every computation halts in deterministic time exponential in the size of the 
input [11, 27]. Let p(n) be so large that 2°) exceeds the time bound of A on input of 
size n, and let & be the finite tape alphabet of A. We can assume without loss of generality 
that A begins in an existential state, existential and universal states alternate at every step, 
and when A enters an accepting state it continues to take steps while staying in accepting 
states. Furthermore, we can assume that A has exactly two possible moves at every step, every 
existential state has at least one immediate successor that is a rejecting universal state, every 
universal state has at least one immediate successor that is an accepting existential state, and 
the final state of every computation is an existential state. 

For any input x, we first construct a polynomial-size Petri Net net(A,) that “simulates” 
the computation of A on x. Each tape square i of A is represented as a group of places 
{8(i,ar)> ++ +9 S(i,ax)} U {S(i,q0)9 «+ +s Si.) ft, Where © = {a,,...,a,} and {qo,...,q@} are the control 
states of A. The idea is that for each tape square 7, exactly one of the places in {5¢,4,),-- +5 8(i,a,)} 
will be marked under every reachable marking, indicating which tape symbol is currently written 
on tape square 7. Furthermore, over all 1 <7 < p(n) and all 0 <7 <I, exactly one of s¢;,,,) is 
marked, indicating which tape square holds the head and which control state A is currently in. 
Let x = aj, ...4;,; then exactly the places {5(1,4,,),--+5S(n,ai,)} U {S10} are initially marked. 

The net net(A,) is wired up as follows: for every tape square 7, every control state q, every 
symbol a; € U, and every control transition (q¢’,a;,D) € 6(q,a;) in A, where D is either L or 
Rk, net( A) contains a transition tgsaj)—=(q'ayr,D)* labeled with some common label 1. The idea is 
that this transition fires iff A is currently in control state g and tape square 7 holds the head and 
contains a;. Firing this transition puts A in control state q', writes a;, on tape square 7, and 
moves the head to tape square i —1if D = LE and to tape squarei+1 if D= R. In particular, 
the preset of transition tg,aj)—=(a'a,D) is {8(,9); S(i,a;)} and the post-set is {$(i-1,9')> Sti,a,n 5 or 
{$(41,9')> S(i,ay+) 5 depending on whether D is EL or R. Finally, for every accepting existential 
control state q and tape square 7, we introduce a transition X(;,) with preset {5;;,.)}, empty 
postset, and label acc. For every rejecting existential control state g and tape square 2, we 
introduce a transition X;;,,) with preset {s(;,,)}, empty postset, and label acc, and a transition 
Yo) with preset {5;;,.)}, empty postset, and label rej. Clearly, net(A,) contains (k + 1) - p(n) 
places and at most (21+ m)- p(n) transitions, where k is the size of the tape alphabet of A, / 
is the number of control states of A, and m is the number of control transitions of A. 

It is straightforward to show that net(A,) is l-safe, sequential (7.e., no transitions can fire 
concurrently under any reachable marking), and that its labeled transition system is isomorphic 
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Figure 6-4: Labeled Transition System of Np 


to that of A on input 2, ignoring the labels of the control transitions, and ignoring the acc- 
labeled and rej-labeled transitions altogether. 


Let T be the deterministic Turing machine which, started with a string of 0’s on its tape, 
successively adds 1 to the binary number on its tape until the original string of 0’s is changed into 
a string of 1’s (of the same length). Then 7 enters an accepting state and halts. So, when started 
on a string on m 0’s, it runs for at least 2” steps and halts. The polynomial-time translation 
net given above for alternating Turing Machines also holds for any deterministic polynomial- 
space Turing Machine, except that we add both acc-labeled and rej-labeled transitions for 
every pair (t,q). Hence if “started” on input consisting of a string of p’(|z|) 0’s, this net is of 
size bounded by some polynomial in ||, and has the sole behaviors that it fires at most some 
fixed m’ > 2°") number of 1’s, and each point along the way it non-deterministically chooses 
between firing either ace or rej and exiting, or firing a 1. Furthermore, after firing m’ 1’s 
followed by a single ace or rej, it reaches a deadlocked state. We call this net Count(m’). We 
can assume without loss of generality that m’ is odd, and since m’ exceeds the time bound of 
A on input x, we can assume without loss of generality that every computation path of A on 
input 2 is exactly of length m’. 


To finish the construction, let Np be a finite 1-safe net of constant size with the labeled 


transition system pictured in Figure 6-4, and let N, ae Nr |liace rej Count(m’), where 
synchronization is required on the symbols 1, acc, and rej. N, is of size polynomial in |x|, and 


its labeled transition system is bisimilar to the transition system pictured in Figure 6-5. 


We now show that net(A,,) is bisimilar to the net NV, iff A accepts input 2. For one direction, 
suppose that net(A,.) is bisimilar to N,; then net(A,) must have some m’-length path bisimilar 
to d(a)V(a)d(a)V(a)...d(a) after which it fires an ace-labeled transition. Thus, all the states of 
net(A,) that are reached along the way must be accepting. Since the labeled transition system 
of net(A,.) is essentially isomorphic to the labeled transition system of A on 2, A must accept x. 
Recalling our assumptions on A, the other direction follows by a simple induction on ~;, where 
~,; is an t-step bisimulation (cf. [30]). This is a polynomial-time reduction from the acceptance 
problem for polynomial-space alternating Turing Machines to bisimulation of finite nets. : 
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Figure 6-5: Bisimilar to the Labeled Transition System of N, 
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It is well-known that the class of problems decidable in polynomial space by alternating 
Turing Machines is the same as the class of problems decidable in deterministic exponential 
time by ordinary Turing Machines [11, 27]. We then have as a simple corollary of this fact and 
Theorem 6.5.7: 


Theorem 6.5.8 Bisimulation of finite nets is DEXPTIME-hard. 
We now show the lower bounds for the remaining equivalences listed in Table 6.1. 


Theorem 6.5.9 For finite nets, 


1. trace equivalence is polynomial-time reducible to step-trace equivalence, ST-trace equiv- 
alence, interval pomset-trace equivalence, and pomset-trace equivalence, 


2. failures equivalence is polynomial-time reducible to step-failures equivalence, 5T-failures 
equivalence, and interval pomset-failures equivalence, and 


3. bisimulation is polynomial-time reducible to step-bisimulation, ST-bisimulation, history- 
preserving bisimulation, maximality-preserving bisimulation, pomset-bisimulation, and 
pomset-ST-bisimulation. 


Proof. We give the proof only for pomset-trace equivalence, as the other cases are com- 
pletely analogous. For any finite nets N,, N2 without hidden transitions, let N/ be constructed 
by adding to N; a single new, initially marked place which is placed in the preset and post-set of 
every transition of N;. Clearly, N/ is trace equivalent to N;. Since no transitions in N/ are stat- 
ically concurrent, it is easy to see that Nj and NJ are trace equivalent iff they are pomset-trace 
equivalent; hence N, and N» are trace equivalent iff Nj and Nj are pomset-trace equivalent. 
This is a polynomial-time reduction from trace equivalence to pomset-trace equivalence. : 


We then have as a simple corollary: 


Theorem 6.5.10 For finite nets, the decision problems for 


1. step-trace equivalence, ST-trace equivalence, interval pomset-trace equivalence, and pomset- 
trace equivalence are EXPSPACE-hard, 


2. step-failures equivalence, ST-failures equivalence, and interval pomset-failures equivalence 
are EXPSPACE-hard, 


3. delay bisimulation, branching bisimulation, step-bisimulation, ST-bisimulation, history- 
preserving bisimulation, maximality-preserving bisimulation, pomset-bisimulation, and 
pomset-ST-bisimulation are DEXPTIME-hard. 


Proof. Delay bisimulation and branching bisimulation coincide with bisimulation for 
nets without hidden transitions [43]. The lower bound for delay bisimulation and branching 
bisimulation is thus a simple consequence of Theorem 6.5.8. All the other lower bounds follow 
immediately from Theorems 6.5.4, 6.5.6, 6.5.8, and 6.5.9. : 


We remark that all the lower bound results in this section are independent of the presence of 
hidden transitions, except as specifically stated in the lower bound proofs for trace equivalence. 
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6.6 Conclusions 


We remark that all these complexity results apply equally to process approximation as well 
as equivalence. An open problem is the decidability and complexity of augmentation-closed 
pomset-trace equivalence. Another open problem that we regard as especially significant is the 
decidability and complexity of our earlier general pomset-failures semantics [23], which keeps 
track of concurrent divergences. We are currently working to extend our methods to handle 


these cases. 


Chapter 7 


Other Results, Open Problems, and 
Future Work 


There is not yet a consensus on what an action refinement operator should be. For example, 
our action refinement operator and that of [47] are tuned to a CSP-style synchronization- 
with-restriction, while those of [3, 20] are tuned to a CCS-style synchronization-by-hiding- 
complementary-actions. In this regard, an action-refinement theory closely related to ours 
has been proposed by Hennessy [20]. His theory incorporates an interesting, and in certain 
respects more powerful, action refinement operation, and he has compositionality and full ab- 
straction results similar to ours. Unlike our action refinement operation, Hennessy’s definition 
allows “concurrent” refinement nets to “communicate” with one another in a manner closely 
related to CCS-style parallel composition, where concurrent, complementary actions (7.e., a and 
a) can synchronize and perform a hidden move. However, in order for Hennessy’s semantics 
to remain compositional for this powerful sort of action refinement, this inter-communication 
must in fact be quite restricted: in particular, “initial” hidden communications between re- 
finement nets must be disallowed. As a result, Hennessy forbids some simple action refine- 
ments like (a | b)[a:=c, b:=¢]. We have explored the connection between Hennessy’s and 
our theories of action refinement in [25]. In particular, [25] presents a new operator of self- 
synchronization, which allows concurrent transitions within a process to synchronize, and shows 
that self-synchronization provides a tight connection between our action refinement operator 
and Hennessy’s communicating action refinement operator. Furthermore, self-synchronization 
can detect “steps” of concurrent actions, and hence non-interleaving semantics are not compo- 
sitional. 

In a related direction, we believe that true concurrency semantics may reveal a distinction 
between existing synchronization operators for which non-interleaving semantics are compo- 
sitional. For example, in interleaving theories like CSP and CCS, the choice of operators is 
immaterial since the different synchronization operators can simulate each other. However, 
the known simulations do not preserve true concurrency semantics. The relation between the 
process theories based on these different synchronization mechanisms remains an interesting 
question, which we are currently exploring. 

This thesis has shown that our [-]“*",[-]Mie) and [-]i;3, are compositional for all our 
operators, including action refinement, and are respectively adequate for MAY-, MUST-, and 
Testing-equivalence. However, it remains open as to which sorts of observations these semantics 
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are fully abstract. To this end, we are currently working on a theory of local observers, which 
we believe will be able to detect full causality and concurrency through experiments. 

In Chapter 4, we showed that all of our semantical spaces form complete partial orders, and 
that our action refinement and CCS/CSP operators on nets correspond to continuous semantical 
operations. Consequently, we expect that our theory will routinely support arbitrary (not merely 
guarded) recursive definitions of nets, with recursion understood as usual via least fixed points. 
We hope to formalize these definitions in the near future. 

An important direction for further research is development of the algebra of process terms 
with refinement. One immediate problem to consider is finding a complete axiom system for 
equations between closed recursion-free CSP/CCS process terms—corresponding to the (non- 
divergent) isolated elements in our semantical spaces. 
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